INDEX.HTML

[0001]
[0002]
[0003]
[0004]
[0005]
[0006]
[0007]
[0008]
[0009]
[0010]
[0011]
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023]
[0024]
[0025]
[0026]
[0027]
[0028]
[0029]
[0030]
[0031]
[0032]
[0033]
[0034]
[0035]
[0036]
[0037]
[0038]
[0039]
[0040]
[0041]
[0042]
[0043]
[0044]
[0045]
[0046]
[0047]
[0048]
[0049]
[0050]
[0051]
[0052]
[0053]
[0054]
[0055]
[0056]
[0057]
[0058]
[0059]
[0060]
[0061]
[0062]
[0063]
[0064]
[0065]
[0066]
[0067]
[0068]
[0069]
[0070]
[0071]
[0072]
[0073]
[0074]
[0075]
[0076]
[0077]
[0078]
[0079]
[0080]
[0081]
[0082]
[0083]
[0084]
[0085]
[0086]
[0087]
[0088]
[0089]
[0090]
[0091]
[0092]
[0093]
[0094]
[0095]
[0096]
[0097]
[0098]
[0099]
[0100]
[0101]
[0102]
[0103]
[0104]
[0105]
[0106]
[0107]
[0108]
[0109]
[0110]
[0111]
[0112]
[0113]
[0114]
[0115]
[0116]
[0117]
[0118]
[0119]
[0120]
[0121]
[0122]
[0123]
[0124]
[0125]
[0126]
[0127]
[0128]
[0129]
[0130]
[0131]
[0132]
[0133]
[0134]
[0135]
[0136]
[0137]
[0138]
[0139]
[0140]
[0141]
[0142]
[0143]
[0144]
[0145]
[0146]
[0147]
[0148]
[0149]
[0150]
[0151]
[0152]
[0153]
[0154]
[0155]
[0156]
[0157]
[0158]
[0159]
[0160]
[0161]
[0162]
[0163]
[0164]
[0165]
[0166]
[0167]
[0168]
[0169]
[0170]
[0171]
[0172]
[0173]
[0174]
[0175]
[0176]
[0177]
[0178]
[0179]
[0180]
[0181]
[0182]
[0183]
[0184]
[0185]
[0186]
[0187]
[0188]
[0189]
[0190]
[0191]
[0192]
[0193]
[0194]
[0195]
[0196]
[0197]
[0198]
[0199]
[0200]
[0201]
[0202]
[0203]
[0204]
[0205]
[0206]
[0207]
[0208]
[0209]
[0210]
[0211]
[0212]
[0213]
[0214]
[0215]
[0216]
[0217]
[0218]
[0219]
[0220]
[0221]
[0222]
[0223]
[0224]
[0225]
[0226]
[0227]
[0228]
[0229]
[0230]
[0231]
[0232]
[0233]
[0234]
[0235]
[0236]
[0237]
[0238]
[0239]
[0240]
[0241]
[0242]
[0243]
[0244]
[0245]
[0246]
[0247]
[0248]
[0249]
[0250]
[0251]
[0252]
[0253]
[0254]
[0255]
[0256]
[0257]
[0258]
[0259]
[0260]
[0261]
[0262]
[0263]
[0264]
[0265]
[0266]
[0267]
[0268]
[0269]
[0270]
[0271]
[0272]
[0273]
[0274]
[0275]
[0276]
[0277]
[0278]
[0279]
[0280]
[0281]
[0282]
[0283]
[0284]
[0285]
[0286]
[0287]
[0288]
[0289]
[0290]
[0291]
[0292]
[0293]
[0294]
[0295]
[0296]
[0297]
[0298]
[0299]
[0300]
[0301]
[0302]
[0303]
[0304]
[0305]
[0306]
[0307]
[0308]
[0309]
[0310]
[0311]
[0312]
[0313]
[0314]
[0315]
[0316]
[0317]
[0318]
[0319]
[0320]
[0321]
[0322]
[0323]
[0324]
[0325]
[0326]
[0327]
[0328]
[0329]
[0330]
[0331]
[0332]
[0333]
[0334]
[0335]
[0336]
[0337]
[0338]
[0339]
[0340]
[0341]
[0342]
[0343]
[0344]
[0345]
[0346]
[0347]
[0348]
[0349]
[0350]
[0351]
[0352]
[0353]
[0354]
[0355]
[0356]
[0357]
[0358]
[0359]
[0360]
[0361]
[0362]
[0363]
[0364]
[0365]
[0366]
[0367]
[0368]
[0369]
[0370]
[0371]
[0372]
[0373]
[0374]
[0375]
[0376]
[0377]
[0378]
[0379]
[0380]
[0381]
[0382]
[0383]
[0384]
[0385]
[0386]
[0387]
[0388]
[0389]
[0390]
[0391]
[0392]
[0393]
[0394]
[0395]
[0396]
[0397]
[0398]
[0399]
[0400]
[0401]
[0402]
[0403]
[0404]
[0405]
[0406]
[0407]
[0408]
[0409]
[0410]
[0411]
[0412]
[0413]
[0414]
[0415]
[0416]
[0417]
[0418]
[0419]
[0420]
[0421]
[0422]
[0423]
[0424]
[0425]
[0426]
[0427]
[0428]
[0429]
[0430]
[0431]
[0432]
[0433]
[0434]
[0435]
[0436]
[0437]
[0438]
[0439]
[0440]
[0441]
[0442]
[0443]
[0444]
[0445]
[0446]
[0447]
[0448]
[0449]
[0450]
[0451]
[0452]
[0453]
[0454]
[0455]
[0456]
[0457]
[0458]
[0459]
[0460]
[0461]
[0462]
[0463]
[0464]
[0465]
[0466]
[0467]
[0468]
[0469]
[0470]
[0471]
[0472]
[0473]
[0474]
[0475]
[0476]
[0477]
[0478]
[0479]
[0480]
[0481]
[0482]
[0483]
[0484]
[0485]
[0486]
[0487]
[0488]
[0489]
[0490]
[0491]
[0492]
[0493]
[0494]
[0495]
[0496]
[0497]
[0498]
[0499]
[0500]
[0501]
[0502]
[0503]
[0504]
[0505]
[0506]
[0507]
[0508]
[0509]
[0510]
[0511]
[0512]
[0513]
[0514]
[0515]
[0516]
[0517]
[0518]
[0519]
[0520]
[0521]
[0522]
[0523]
[0524]
[0525]
[0526]
[0527]
[0528]
[0529]
[0530]
[0531]
[0532]
[0533]
[0534]
[0535]
[0536]
[0537]
[0538]
[0539]
[0540]
[0541]
[0542]
[0543]
[0544]
[0545]
[0546]
[0547]
[0548]
[0549]
[0550]
[0551]
[0552]
[0553]
[0554]
[0555]
[0556]
[0557]
[0558]
[0559]
[0560]
[0561]
[0562]
[0563]
[0564]
[0565]
[0566]
[0567]
[0568]
[0569]
[0570]
[0571]
[0572]
[0573]
[0574]
[0575]
[0576]
[0577]
[0578]
[0579]
[0580]
[0581]
[0582]
[0583]
[0584]
[0585]
[0586]
[0587]
[0588]
[0589]
[0590]
[0591]
[0592]
[0593]
[0594]
[0595]
[0596]
[0597]
[0598]
[0599]
[0600]
[0601]
[0602]
[0603]
[0604]
[0605]
[0606]
[0607]
[0608]
[0609]
[0610]
[0611]
[0612]
[0613]
[0614]
[0615]
[0616]
[0617]
[0618]
[0619]
[0620]
[0621]
[0622]
[0623]
[0624]
[0625]
[0626]
[0627]
[0628]
[0629]
[0630]
[0631]
[0632]
[0633]
[0634]
[0635]
[0636]
[0637]
[0638]
[0639]
[0640]
[0641]
[0642]
[0643]
[0644]
[0645]
[0646]
[0647]
[0648]
[0649]
[0650]
[0651]
[0652]
[0653]
[0654]
[0655]
[0656]
[0657]
[0658]
[0659]
[0660]
[0661]
[0662]
[0663]
[0664]
[0665]
[0666]
[0667]
[0668]
[0669]
[0670]
[0671]
[0672]
[0673]
[0674]
[0675]
[0676]
[0677]
[0678]
[0679]
[0680]
[0681]
[0682]
[0683]
[0684]
[0685]
[0686]
[0687]
[0688]
[0689]
[0690]
[0691]
[0692]
[0693]
[0694]
[0695]
[0696]
[0697]
[0698]
[0699]
[0700]
[0701]
[0702]
[0703]
[0704]
[0705]
[0706]
[0707]
[0708]
[0709]
[0710]
[0711]
[0712]
[0713]
[0714]
[0715]
[0716]
[0717]
[0718]
[0719]
[0720]
[0721]
[0722]
[0723]
[0724]
[0725]
[0726]
[0727]
[0728]
[0729]
[0730]
[0731]
[0732]
[0733]
[0734]
[0735]
[0736]
[0737]
[0738]
[0739]
[0740]
[0741]
[0742]
[0743]
[0744]
[0745]
[0746]
[0747]
[0748]
[0749]
[0750]
[0751]
[0752]
[0753]
[0754]
[0755]
[0756]
[0757]
[0758]
[0759]
[0760]
[0761]
[0762]
[0763]
[0764]
[0765]
[0766]
[0767]
[0768]
[0769]
[0770]
[0771]
[0772]
[0773]
[0774]
[0775]
[0776]
[0777]
[0778]
[0779]
[0780]
[0781]
[0782]
[0783]
[0784]
[0785]
[0786]
[0787]
[0788]
[0789]
[0790]
[0791]
[0792]
[0793]
[0794]
[0795]
[0796]
[0797]
[0798]
[0799]
[0800]
[0801]
[0802]
[0803]
[0804]
[0805]
[0806]
[0807]
[0808]
[0809]
[0810]
[0811]
[0812]
[0813]
[0814]
[0815]
[0816]
[0817]
[0818]
[0819]
[0820]
[0821]
[0822]
[0823]
[0824]
[0825]
[0826]
[0827]
[0828]
[0829]
[0830]
[0831]
[0832]
[0833]
[0834]
[0835]
[0836]
[0837]
[0838]
[0839]
[0840]
[0841]
[0842]
[0843]
[0844]
[0845]
[0846]
[0847]
[0848]
[0849]
[0850]
[0851]
[0852]
[0853]
[0854]
[0855]
[0856]
[0857]
[0858]
[0859]
[0860]
[0861]
[0862]
[0863]
[0864]
[0865]
[0866]
[0867]
[0868]
[0869]
[0870]
[0871]
[0872]
[0873]
[0874]
[0875]
[0876]
[0877]
[0878]
[0879]
[0880]
[0881]
[0882]
[0883]
[0884]
[0885]
[0886]
[0887]
[0888]
[0889]
[0890]
[0891]
[0892]
[0893]
[0894]
[0895]
[0896]
[0897]
[0898]
[0899]
[0900]
[0901]
[0902]
[0903]
[0904]
[0905]
[0906]
[0907]
[0908]
[0909]
[0910]
[0911]
[0912]
[0913]
[0914]
[0915]
[0916]
[0917]
[0918]
[0919]
[0920]
[0921]
[0922]
[0923]
[0924]
[0925]
[0926]
[0927]
[0928]
[0929]
[0930]
[0931]
[0932]
[0933]
[0934]
[0935]
[0936]
[0937]
[0938]
[0939]
[0940]
[0941]
[0942]
[0943]
[0944]
[0945]
[0946]
[0947]
[0948]
[0949]
[0950]
[0951]
[0952]
[0953]
[0954]
[0955]
[0956]
[0957]
[0958]
[0959]
[0960]
[0961]
[0962]
[0963]
[0964]
[0965]
[0966]
[0967]
[0968]
[0969]
[0970]
[0971]
[0972]
[0973]
[0974]
[0975]
[0976]
[0977]
[0978]
[0979]
[0980]
[0981]
[0982]
[0983]
[0984]
[0985]
[0986]
[0987]
[0988]
[0989]
[0990]
[0991]
[0992]
[0993]
[0994]
[0995]
[0996]
[0997]
[0998]
[0999]
[1000]
[1001]
[1002]
[1003]
[1004]
[1005]
[1006]
[1007]
[1008]
[1009]
[1010]
[1011]
[1012]
[1013]
[1014]
[1015]
[1016]
[1017]
[1018]
[1019]
[1020]
[1021]
[1022]
[1023]
[1024]
[1025]
[1026]
[1027]
[1028]
[1029]
[1030]
[1031]
[1032]
[1033]
[1034]
[1035]
[1036]
[1037]
[1038]
[1039]
[1040]
[1041]
[1042]
[1043]
[1044]
[1045]
[1046]
[1047]
[1048]
[1049]
[1050]
[1051]
[1052]
[1053]
[1054]
[1055]
[1056]
[1057]
[1058]
[1059]
[1060]
[1061]
[1062]
[1063]
[1064]
[1065]
[1066]
[1067]
[1068]
[1069]
[1070]
[1071]
[1072]
[1073]
[1074]
[1075]
[1076]
[1077]
[1078]
[1079]
[1080]
[1081]
[1082]
[1083]
[1084]
[1085]
[1086]
[1087]
[1088]
[1089]
[1090]
[1091]
[1092]
[1093]
[1094]
[1095]
[1096]
[1097]
[1098]
[1099]
[1100]
[1101]
[1102]
[1103]
[1104]
[1105]
[1106]
[1107]
[1108]
[1109]
[1110]
[1111]
[1112]
[1113]
[1114]
[1115]
[1116]
[1117]
[1118]
[1119]
[1120]
[1121]
[1122]
[1123]
[1124]
[1125]
[1126]
[1127]
[1128]
[1129]
[1130]
[1131]
[1132]
[1133]
[1134]
[1135]
[1136]
[1137]
[1138]
[1139]
[1140]
[1141]
[1142]
[1143]
[1144]
[1145]
[1146]
[1147]
[1148]
[1149]
[1150]
[1151]
[1152]
[1153]
[1154]
[1155]
[1156]
[1157]
[1158]
[1159]
[1160]
[1161]
[1162]
[1163]
[1164]
[1165]
[1166]
[1167]
[1168]
[1169]
[1170]
[1171]
[1172]
[1173]
[1174]
[1175]
[1176]
[1177]
[1178]
[1179]
[1180]
[1181]
[1182]
[1183]
[1184]
[1185]
[1186]
[1187]
[1188]
[1189]
[1190]
[1191]
[1192]
[1193]
[1194]
[1195]
[1196]
[1197]
[1198]
[1199]
[1200]
[1201]
[1202]
[1203]
[1204]
[1205]
[1206]
[1207]
[1208]
[1209]
[1210]
[1211]
[1212]
[1213]
[1214]
[1215]
[1216]
[1217]
[1218]
[1219]
[1220]
[1221]
[1222]
[1223]
[1224]
[1225]
[1226]
[1227]
[1228]
[1229]
[1230]
[1231]
[1232]
[1233]
[1234]
[1235]
[1236]
[1237]
[1238]
[1239]
[1240]
[1241]
[1242]
[1243]
[1244]
[1245]
[1246]
[1247]
[1248]
[1249]
[1250]
[1251]
[1252]
[1253]
[1254]
[1255]
[1256]
[1257]
[1258]
[1259]
[1260]
[1261]
[1262]
[1263]
[1264]
[1265]
[1266]
[1267]
[1268]
[1269]
[1270]
[1271]
[1272]
[1273]
[1274]
[1275]
[1276]
[1277]
[1278]
[1279]
[1280]
[1281]
[1282]
[1283]
[1284]
[1285]
[1286]
[1287]
[1288]
[1289]
[1290]
[1291]
[1292]
[1293]
[1294]
[1295]
[1296]
[1297]
[1298]
[1299]
[1300]
[1301]
[1302]
[1303]
[1304]
[1305]
[1306]
[1307]
[1308]
[1309]
[1310]
[1311]
[1312]
[1313]
[1314]
[1315]
[1316]
[1317]
[1318]
[1319]
[1320]
[1321]
[1322]
[1323]
[1324]
[1325]
[1326]
[1327]
[1328]
[1329]
[1330]
[1331]
[1332]
[1333]
[1334]
[1335]
[1336]
[1337]
[1338]
[1339]
[1340]
[1341]
[1342]
[1343]
[1344]
[1345]
[1346]
[1347]
[1348]
[1349]
[1350]
[1351]
[1352]
[1353]
[1354]
[1355]
[1356]
[1357]
[1358]
[1359]
[1360]
[1361]
[1362]
[1363]
[1364]
[1365]
[1366]
[1367]
[1368]
[1369]
[1370]
[1371]
[1372]
[1373]
[1374]
[1375]
[1376]
[1377]
[1378]
[1379]
[1380]
[1381]
[1382]
[1383]
[1384]
[1385]
[1386]
[1387]
[1388]
[1389]
[1390]
[1391]
[1392]
[1393]
[1394]
[1395]
[1396]
[1397]
[1398]
[1399]
[1400]
[1401]
[1402]
[1403]
[1404]
[1405]
[1406]
[1407]
[1408]
[1409]
[1410]
[1411]
[1412]
[1413]
[1414]
[1415]
[1416]
[1417]
[1418]
[1419]
[1420]
[1421]
[1422]
[1423]
[1424]
[1425]
[1426]
[1427]
[1428]
[1429]
[1430]
[1431]
[1432]
[1433]
[1434]
[1435]
[1436]
[1437]
[1438]
[1439]
[1440]
[1441]
[1442]
[1443]
[1444]
[1445]
[1446]
[1447]
[1448]
[1449]
[1450]
[1451]
[1452]
[1453]
[1454]
[1455]
[1456]
[1457]
[1458]
[1459]
[1460]
[1461]
[1462]
[1463]
[1464]
[1465]
[1466]
[1467]
[1468]
[1469]
[1470]
[1471]
[1472]
[1473]
[1474]
[1475]
[1476]
[1477]
[1478]
[1479]
[1480]
[1481]
[1482]
[1483]
[1484]
[1485]
[1486]
[1487]
[1488]
[1489]
[1490]
[1491]
[1492]
[1493]
[1494]
[1495]
[1496]
[1497]
[1498]
[1499]
[1500]
[1501]
[1502]
[1503]
[1504]
[1505]
[1506]
[1507]
[1508]
[1509]
[1510]
[1511]
[1512]
[1513]
[1514]
[1515]
[1516]
[1517]
[1518]
[1519]
[1520]
[1521]
[1522]
[1523]
[1524]
[1525]
[1526]
[1527]
[1528]
[1529]
[1530]
[1531]
[1532]
[1533]
[1534]
[1535]
[1536]
[1537]
[1538]
[1539]
[1540]
[1541]
[1542]
[1543]
[1544]
[1545]
[1546]
[1547]
[1548]
[1549]
[1550]
[1551]
[1552]
[1553]
[1554]
[1555]
[1556]
[1557]
[1558]
[1559]
[1560]
[1561]
[1562]
[1563]
[1564]
[1565]
[1566]
[1567]
[1568]
[1569]
[1570]
[1571]
[1572]
[1573]
[1574]
[1575]
[1576]
[1577]
[1578]
[1579]
[1580]
[1581]
[1582]
[1583]
[1584]
[1585]
[1586]
[1587]
[1588]
[1589]
[1590]
[1591]
[1592]
[1593]
[1594]
[1595]
[1596]
[1597]
[1598]
[1599]
[1600]
[1601]
[1602]
[1603]
[1604]
[1605]
[1606]
[1607]
[1608]
[1609]
[1610]
[1611]
[1612]
[1613]
[1614]
[1615]
[1616]
[1617]
[1618]
[1619]
[1620]
[1621]
[1622]
[1623]
[1624]
[1625]
[1626]
[1627]
[1628]
[1629]
[1630]
[1631]
[1632]
[1633]
[1634]
[1635]
[1636]
[1637]
[1638]
[1639]
[1640]
[1641]
[1642]
[1643]
[1644]
[1645]
[1646]
[1647]
[1648]
[1649]
[1650]
[1651]
[1652]
[1653]
[1654]
[1655]
[1656]
[1657]
[1658]
[1659]
[1660]
[1661]
[1662]
[1663]
[1664]
[1665]
[1666]
[1667]
[1668]
[1669]
[1670]
[1671]
[1672]
[1673]
[1674]
[1675]
[1676]
[1677]
[1678]
[1679]
[1680]
[1681]
[1682]
[1683]
[1684]
[1685]
[1686]
[1687]
[1688]
[1689]
[1690]
[1691]
[1692]
[1693]
[1694]
[1695]
[1696]
[1697]
[1698]
[1699]
[1700]
[1701]
[1702]
[1703]
[1704]
[1705]
[1706]
[1707]
[1708]
[1709]
[1710]
[1711]
[1712]
[1713]
[1714]
[1715]
[1716]
[1717]
[1718]
[1719]
[1720]
[1721]
[1722]
[1723]
[1724]
[1725]
[1726]
[1727]
[1728]
[1729]
[1730]
[1731]
[1732]
[1733]
[1734]
[1735]
[1736]
[1737]
[1738]
[1739]
[1740]
[1741]
[1742]
[1743]
[1744]
[1745]
[1746]
[1747]
[1748]
[1749]
[1750]
[1751]
[1752]
[1753]
[1754]
[1755]
[1756]
[1757]
[1758]
[1759]
[1760]
[1761]
[1762]
[1763]
[1764]
[1765]
[1766]
[1767]
[1768]
[1769]
[1770]
[1771]
[1772]
[1773]
[1774]
[1775]
[1776]
[1777]
[1778]
[1779]
[1780]
[1781]
[1782]
[1783]
[1784]
[1785]
[1786]
[1787]
[1788]
[1789]
[1790]
[1791]
[1792]
[1793]
[1794]
[1795]
[1796]
[1797]
[1798]
[1799]
[1800]
[1801]
[1802]
[1803]
[1804]
[1805]
[1806]
[1807]
[1808]
[1809]
[1810]
[1811]
[1812]
[1813]
[1814]
[1815]
[1816]
[1817]
[1818]
[1819]
[1820]
[1821]
[1822]
[1823]
[1824]
[1825]
[1826]
[1827]
[1828]
[1829]
[1830]
[1831]
[1832]
[1833]
[1834]
[1835]
[1836]
[1837]
[1838]
[1839]
[1840]
[1841]
[1842]
[1843]
[1844]
[1845]
[1846]
[1847]
[1848]
[1849]
[1850]
[1851]
[1852]
[1853]
[1854]
[1855]
[1856]
[1857]
[1858]
[1859]
[1860]
[1861]
[1862]
[1863]
[1864]
[1865]
[1866]
[1867]
[1868]
[1869]
[1870]
[1871]
[1872]
[1873]
[1874]
[1875]
[1876]
[1877]
[1878]
[1879]
[1880]
[1881]
[1882]
[1883]
[1884]
[1885]
[1886]
[1887]
[1888]
[1889]
[1890]
[1891]
[1892]
[1893]
[1894]
[1895]
[1896]
[1897]
[1898]
[1899]
[1900]
[1901]
[1902]
[1903]
[1904]
[1905]
[1906]
[1907]
[1908]
[1909]
[1910]
[1911]
[1912]
[1913]
[1914]
[1915]
[1916]
[1917]
[1918]
[1919]
[1920]
[1921]
[1922]
[1923]
[1924]
[1925]
[1926]
[1927]
[1928]
[1929]
[1930]
[1931]
[1932]
[1933]
[1934]
[1935]
[1936]
[1937]
[1938]
[1939]
[1940]
[1941]
[1942]
[1943]
[1944]
[1945]
[1946]
[1947]
[1948]
[1949]
[1950]
[1951]
[1952]
[1953]
[1954]
[1955]
[1956]
[1957]
[1958]
[1959]
[1960]
[1961]
[1962]
[1963]
[1964]
[1965]
[1966]
[1967]
[1968]
[1969]
[1970]
[1971]
[1972]
[1973]
[1974]
[1975]
[1976]
[1977]
[1978]
[1979]
[1980]
[1981]
[1982]
[1983]
[1984]
[1985]
[1986]
[1987]
[1988]
[1989]
[1990]
[1991]
[1992]
[1993]
[1994]
[1995]
[1996]
[1997]
[1998]
[1999]
[2000]
[2001]
[2002]
[2003]
[2004]
[2005]
[2006]
[2007]
[2008]
[2009]
[2010]
[2011]
[2012]
[2013]
[2014]
[2015]
[2016]
[2017]
[2018]
[2019]
[2020]
[2021]
[2022]
[2023]
[2024]
[2025]
[2026]
[2027]
[2028]
[2029]
[2030]
[2031]
[2032]
[2033]
[2034]
[2035]
[2036]
[2037]
[2038]
[2039]
[2040]
[2041]
[2042]
[2043]
[2044]
[2045]
[2046]
[2047]
[2048]
[2049]
[2050]
[2051]
[2052]
[2053]
[2054]
[2055]
[2056]
[2057]
[2058]
[2059]
[2060]
[2061]
[2062]
[2063]
[2064]
[2065]
[2066]
[2067]
[2068]
[2069]
[2070]
[2071]
[2072]
[2073]
[2074]
[2075]
[2076]
[2077]
[2078]
[2079]
[2080]
[2081]
[2082]
[2083]
[2084]
[2085]
[2086]
[2087]
[2088]
[2089]
[2090]
[2091]
[2092]
[2093]
[2094]
[2095]
[2096]
[2097]
[2098]
[2099]
[2100]
[2101]
[2102]
[2103]
[2104]
[2105]
[2106]
[2107]
[2108]
[2109]
[2110]
[2111]
[2112]
[2113]
[2114]
[2115]
[2116]
[2117]
[2118]
[2119]
[2120]
[2121]
[2122]
[2123]
[2124]
[2125]
[2126]
[2127]
[2128]
[2129]
[2130]
[2131]
[2132]
[2133]
[2134]
[2135]
[2136]
[2137]
[2138]
[2139]
[2140]
[2141]
[2142]
[2143]
[2144]
[2145]
[2146]
[2147]
[2148]
[2149]
[2150]
[2151]
[2152]
[2153]
[2154]
[2155]
[2156]
[2157]
[2158]
[2159]
[2160]
[2161]
[2162]
[2163]
[2164]
[2165]
[2166]
[2167]
[2168]
[2169]
[2170]
[2171]
[2172]
[2173]
[2174]
[2175]
[2176]
[2177]
[2178]
[2179]
[2180]
[2181]
[2182]
[2183]
[2184]
[2185]
[2186]
[2187]
[2188]
[2189]
[2190]
[2191]
[2192]
[2193]
[2194]
[2195]
[2196]
[2197]
[2198]
[2199]
[2200]
[2201]
[2202]
[2203]
[2204]
[2205]
[2206]
[2207]
[2208]
[2209]
[2210]
[2211]
[2212]
[2213]
[2214]
[2215]
[2216]
[2217]
[2218]
[2219]
[2220]
[2221]
[2222]
[2223]
[2224]
[2225]
[2226]
[2227]
[2228]
[2229]
[2230]
[2231]
[2232]
[2233]
[2234]
[2235]
[2236]
[2237]
[2238]
[2239]
[2240]
[2241]
[2242]
[2243]
[2244]
[2245]
[2246]
[2247]
[2248]
[2249]
[2250]
[2251]
[2252]
[2253]
[2254]
[2255]
[2256]
[2257]
[2258]
[2259]
[2260]
[2261]
[2262]
[2263]
[2264]
[2265]
[2266]
[2267]
[2268]
[2269]
[2270]
[2271]
[2272]
[2273]
[2274]
[2275]
[2276]
[2277]
[2278]
[2279]
[2280]
[2281]
[2282]
[2283]
[2284]
[2285]
[2286]
[2287]
[2288]
[2289]
[2290]
[2291]
[2292]
[2293]
[2294]
[2295]
[2296]
[2297]
[2298]
[2299]
[2300]
[2301]
[2302]
[2303]
[2304]
[2305]
[2306]
[2307]
[2308]
[2309]
[2310]
[2311]
[2312]
[2313]
[2314]
[2315]
[2316]
[2317]
[2318]
[2319]
[2320]
[2321]
[2322]
[2323]
[2324]
[2325]
[2326]
[2327]
[2328]
[2329]
[2330]
[2331]
[2332]
[2333]
[2334]
[2335]
[2336]
[2337]
[2338]
[2339]
[2340]
[2341]
[2342]
[2343]
[2344]
[2345]
[2346]
[2347]
[2348]
[2349]
[2350]
[2351]
[2352]
[2353]
[2354]
[2355]
[2356]
[2357]
[2358]
[2359]
[2360]
[2361]
[2362]
[2363]
[2364]
[2365]
[2366]
[2367]
[2368]
[2369]
[2370]
[2371]
[2372]
[2373]
[2374]
[2375]
[2376]
[2377]
[2378]
[2379]
[2380]
[2381]
[2382]
[2383]
[2384]
[2385]
[2386]
[2387]
[2388]
[2389]
[2390]
[2391]
[2392]
[2393]
[2394]
[2395]
[2396]
[2397]
[2398]
[2399]
[2400]
[2401]
[2402]
[2403]
[2404]
[2405]
[2406]
[2407]
[2408]
[2409]
[2410]
[2411]
[2412]
[2413]
[2414]
[2415]
[2416]
[2417]
[2418]
[2419]
[2420]
[2421]
[2422]
[2423]
[2424]
[2425]
[2426]
[2427]
[2428]
[2429]
[2430]
[2431]
[2432]
[2433]
[2434]
[2435]
[2436]
[2437]
[2438]
[2439]
[2440]
[2441]
[2442]
[2443]
[2444]
[2445]
[2446]
[2447]
[2448]
[2449]
[2450]
[2451]
[2452]
[2453]
[2454]
[2455]
[2456]
[2457]
[2458]
[2459]
[2460]
[2461]
[2462]
[2463]
[2464]
[2465]
[2466]
[2467]
[2468]
[2469]
[2470]
[2471]
[2472]
[2473]
[2474]
[2475]
[2476]
[2477]
[2478]
[2479]
[2480]
[2481]
[2482]
[2483]
[2484]
[2485]
[2486]
[2487]
[2488]
[2489]
[2490]
[2491]
[2492]
[2493]
[2494]
[2495]
[2496]
[2497]
[2498]
[2499]
[2500]
[2501]
[2502]
[2503]
[2504]
[2505]
[2506]
[2507]
[2508]
[2509]
[2510]
[2511]
[2512]
[2513]
[2514]
[2515]
[2516]
[2517]
[2518]
[2519]
[2520]
[2521]
[2522]
[2523]
[2524]
[2525]
[2526]
[2527]
[2528]
[2529]
[2530]
[2531]
[2532]
[2533]
[2534]
[2535]
[2536]
[2537]
[2538]
[2539]
[2540]
[2541]
[2542]
[2543]
[2544]
[2545]
[2546]
[2547]
[2548]
[2549]
[2550]
[2551]
[2552]
[2553]
[2554]
[2555]
[2556]
[2557]
[2558]
[2559]
[2560]
[2561]
[2562]
[2563]
[2564]
[2565]
[2566]
[2567]
[2568]
[2569]
[2570]
[2571]
[2572]
[2573]
[2574]
[2575]
[2576]
[2577]
[2578]
[2579]
[2580]
[2581]
[2582]
[2583]
[2584]
[2585]
[2586]
[2587]
[2588]
[2589]
[2590]
[2591]
[2592]
[2593]
[2594]
[2595]
[2596]
[2597]
[2598]
[2599]
[2600]
[2601]
[2602]
[2603]
[2604]
[2605]
[2606]
[2607]
[2608]
[2609]
[2610]
[2611]
[2612]
[2613]
[2614]
[2615]
[2616]
[2617]
[2618]
[2619]
[2620]
[2621]
[2622]
[2623]
[2624]
[2625]
[2626]
[2627]
[2628]
[2629]
[2630]
[2631]
[2632]
[2633]
[2634]
[2635]
[2636]
[2637]
[2638]
[2639]
[2640]
[2641]
[2642]
[2643]
[2644]
[2645]
[2646]
[2647]
[2648]
[2649]
[2650]
[2651]
[2652]
[2653]
[2654]
[2655]
[2656]
[2657]
[2658]
[2659]
[2660]
[2661]
[2662]
[2663]
[2664]
[2665]
[2666]
[2667]
[2668]
[2669]
[2670]
[2671]
[2672]
[2673]
[2674]
[2675]
[2676]
[2677]
[2678]
[2679]
[2680]
[2681]
[2682]
[2683]
[2684]
[2685]
[2686]
[2687]
[2688]
[2689]
[2690]
[2691]
[2692]
[2693]
[2694]
[2695]
[2696]
[2697]
[2698]
[2699]
[2700]
[2701]
[2702]
[2703]
[2704]
[2705]
[2706]
[2707]
[2708]
[2709]
[2710]
[2711]
[2712]
[2713]
[2714]
[2715]
[2716]
[2717]
[2718]
[2719]
[2720]
[2721]
[2722]
[2723]
[2724]
[2725]
[2726]
[2727]
[2728]
[2729]
[2730]
[2731]
[2732]
[2733]
[2734]
[2735]
[2736]
[2737]
[2738]
[2739]
[2740]
[2741]
[2742]
[2743]
[2744]
[2745]
[2746]
[2747]
[2748]
[2749]
[2750]
[2751]
[2752]
[2753]
[2754]
[2755]
[2756]
[2757]
[2758]
[2759]
[2760]
[2761]
[2762]
[2763]
[2764]
[2765]
[2766]
[2767]
[2768]
[2769]
[2770]
[2771]
[2772]
[2773]
[2774]
[2775]
[2776]
[2777]
[2778]
[2779]
[2780]
[2781]
[2782]
[2783]
[2784]
[2785]
[2786]
[2787]
[2788]
[2789]
[2790]
[2791]
[2792]
[2793]
[2794]
[2795]
[2796]
[2797]
[2798]
[2799]
[2800]
[2801]
[2802]
[2803]
[2804]
[2805]
[2806]
[2807]
[2808]
[2809]
[2810]
[2811]
[2812]
[2813]
[2814]
[2815]
[2816]
[2817]
[2818]
[2819]
[2820]
[2821]
[2822]
[2823]
[2824]
[2825]
[2826]
[2827]
[2828]
[2829]
[2830]
[2831]
[2832]
[2833]
[2834]
[2835]
[2836]
[2837]
[2838]
[2839]
[2840]
[2841]
[2842]
[2843]
[2844]
[2845]
[2846]
[2847]
[2848]
[2849]
[2850]
[2851]
[2852]
[2853]
[2854]
[2855]
[2856]
[2857]
[2858]
[2859]
[2860]
[2861]
[2862]
[2863]
[2864]
[2865]
[2866]
[2867]
[2868]
[2869]
[2870]
[2871]
[2872]
[2873]
[2874]
[2875]
[2876]
[2877]
[2878]
[2879]
[2880]
[2881]
[2882]
[2883]
[2884]
[2885]
[2886]
[2887]
[2888]
[2889]
[2890]
[2891]
[2892]
[2893]
[2894]
[2895]
[2896]
[2897]
[2898]
[2899]
[2900]
[2901]
[2902]
[2903]
[2904]
[2905]
[2906]
[2907]
[2908]
[2909]
[2910]
[2911]
[2912]
[2913]
[2914]
[2915]
[2916]
[2917]
[2918]
[2919]
[2920]
[2921]
[2922]
[2923]
[2924]
[2925]
[2926]
[2927]
[2928]
[2929]
[2930]
[2931]
[2932]
[2933]
[2934]
[2935]
[2936]
[2937]
[2938]
[2939]
[2940]
[2941]
[2942]
[2943]
[2944]
[2945]
[2946]
[2947]
[2948]
[2949]
[2950]
[2951]
[2952]
[2953]
[2954]
[2955]
[2956]
[2957]
[2958]
[2959]
[2960]
[2961]
[2962]
[2963]
[2964]
[2965]
[2966]
[2967]
[2968]
[2969]
[2970]
[2971]
[2972]
[2973]
[2974]
[2975]
[2976]
[2977]
[2978]
[2979]
[2980]
[2981]
[2982]
[2983]
[2984]
[2985]
[2986]
[2987]
[2988]
[2989]
[2990]
[2991]
[2992]
[2993]
[2994]
[2995]
[2996]
[2997]
[2998]
[2999]
[3000]
[3001]
[3002]
[3003]
[3004]
[3005]
[3006]
[3007]
[3008]
[3009]
[3010]
[3011]
[3012]
[3013]
[3014]
[3015]
[3016]
[3017]
[3018]
[3019]
[3020]
[3021]
[3022]
[3023]
[3024]
[3025]
[3026]
[3027]
[3028]
[3029]
[3030]
[3031]
[3032]
[3033]
[3034]
[3035]
[3036]
[3037]
[3038]
[3039]
[3040]
[3041]
[3042]
[3043]
[3044]
[3045]
[3046]
[3047]
[3048]
[3049]
[3050]
[3051]
[3052]
[3053]
[3054]
[3055]
[3056]
[3057]
[3058]
[3059]
[3060]
[3061]
[3062]
[3063]
[3064]
[3065]
[3066]
[3067]
[3068]
[3069]
[3070]
[3071]
[3072]
[3073]
[3074]
[3075]
[3076]
[3077]
[3078]
[3079]
[3080]
[3081]
[3082]
[3083]
[3084]
[3085]
[3086]
[3087]
[3088]
[3089]
[3090]
[3091]
[3092]
[3093]
[3094]
[3095]
[3096]
[3097]
[3098]
[3099]
[3100]
[3101]
[3102]
[3103]
[3104]
[3105]
[3106]
[3107]
[3108]
[3109]
[3110]
[3111]
[3112]
[3113]
[3114]
[3115]
[3116]
[3117]
[3118]
[3119]
[3120]
[3121]
[3122]
[3123]
[3124]
[3125]
[3126]
[3127]
[3128]
[3129]
[3130]
[3131]
[3132]
[3133]
[3134]
[3135]
[3136]
[3137]
[3138]
[3139]
[3140]
[3141]
[3142]
[3143]
[3144]
[3145]
[3146]
[3147]
[3148]
[3149]
[3150]
[3151]
[3152]
[3153]
[3154]
[3155]
[3156]
[3157]
[3158]
[3159]
[3160]
[3161]
[3162]
[3163]
[3164]
[3165]
[3166]
[3167]
[3168]
[3169]
[3170]
[3171]
[3172]
[3173]
[3174]
[3175]
[3176]
[3177]
[3178]
[3179]
[3180]
[3181]
[3182]
[3183]
[3184]
[3185]
[3186]
[3187]
[3188]
[3189]
[3190]
[3191]
[3192]
[3193]
[3194]
[3195]
[3196]
[3197]
[3198]
[3199]
[3200]
[3201]
[3202]
[3203]
[3204]
[3205]
[3206]
[3207]
[3208]
[3209]
[3210]
[3211]
[3212]
[3213]
[3214]
[3215]
[3216]
[3217]
[3218]
[3219]
[3220]
[3221]
[3222]
[3223]
[3224]
[3225]
[3226]
[3227]
[3228]
[3229]
[3230]
[3231]
[3232]
[3233]
[3234]
[3235]
[3236]
[3237]
[3238]
[3239]
[3240]
[3241]
[3242]
[3243]
[3244]
[3245]
[3246]
[3247]
[3248]
[3249]
[3250]
[3251]
[3252]
[3253]
[3254]
[3255]
[3256]
[3257]
[3258]
[3259]
[3260]
[3261]
[3262]
[3263]
[3264]
[3265]
[3266]
[3267]
[3268]
[3269]
[3270]
[3271]
[3272]
[3273]
[3274]
[3275]
[3276]
[3277]
[3278]
[3279]
[3280]
[3281]
[3282]
[3283]
[3284]
[3285]
[3286]
[3287]
[3288]
[3289]
[3290]
[3291]
[3292]
[3293]
[3294]
[3295]
[3296]
[3297]
[3298]
[3299]
[3300]
[3301]
[3302]
[3303]
[3304]
[3305]
[3306]
[3307]
[3308]
[3309]
[3310]
[3311]
[3312]
[3313]
[3314]
[3315]
[3316]
[3317]
[3318]
[3319]
[3320]
[3321]
[3322]
[3323]
[3324]
[3325]
[3326]
[3327]
[3328]
[3329]
[3330]
[3331]
[3332]
[3333]
[3334]
[3335]
[3336]
[3337]
[3338]
[3339]
[3340]
[3341]
[3342]
[3343]
[3344]
[3345]
[3346]
[3347]
[3348]
[3349]
[3350]
[3351]
[3352]
[3353]
[3354]
[3355]
[3356]
[3357]
[3358]
[3359]
[3360]
[3361]
[3362]
[3363]
[3364]
[3365]
[3366]
[3367]
[3368]
[3369]
[3370]
[3371]
[3372]
[3373]
[3374]
[3375]
[3376]
[3377]
[3378]
[3379]
[3380]
[3381]
[3382]
[3383]
[3384]
[3385]
[3386]
[3387]
[3388]
[3389]
[3390]
[3391]
[3392]
[3393]
[3394]
[3395]
[3396]
[3397]
[3398]
[3399]
[3400]
[3401]
[3402]
[3403]
[3404]
[3405]
[3406]
[3407]
[3408]
[3409]
[3410]
[3411]
[3412]
[3413]
[3414]
[3415]
[3416]
[3417]
[3418]
[3419]
[3420]
[3421]
[3422]
[3423]
[3424]
[3425]
[3426]
[3427]
[3428]
[3429]
[3430]
[3431]
[3432]
[3433]
[3434]
[3435]
[3436]
[3437]
[3438]
[3439]
[3440]
[3441]
[3442]
[3443]
[3444]
[3445]
[3446]
[3447]
[3448]
[3449]
[3450]
[3451]
[3452]
[3453]
[3454]
[3455]
[3456]
[3457]
[3458]
[3459]
[3460]
[3461]
[3462]
[3463]
[3464]
[3465]
[3466]
[3467]
[3468]
[3469]
[3470]
[3471]
[3472]
[3473]
[3474]
[3475]
[3476]
[3477]
[3478]
[3479]
[3480]
[3481]
[3482]
[3483]
[3484]
[3485]
[3486]
[3487]
[3488]
[3489]
[3490]
[3491]
[3492]
[3493]
[3494]
[3495]
[3496]
[3497]
[3498]
[3499]
[3500]
[3501]
[3502]
[3503]
[3504]
[3505]
[3506]
[3507]
[3508]
[3509]
[3510]
[3511]
[3512]
[3513]
[3514]
[3515]
[3516]
[3517]
[3518]
[3519]
[3520]
[3521]
[3522]
[3523]
[3524]
[3525]
[3526]
[3527]
[3528]
[3529]
[3530]
[3531]
[3532]
[3533]
[3534]
[3535]
[3536]
[3537]
[3538]
[3539]
[3540]
[3541]
[3542]
[3543]
[3544]
[3545]
[3546]
[3547]
[3548]
[3549]
[3550]
[3551]
[3552]
[3553]
[3554]
[3555]
[3556]
[3557]
[3558]
[3559]
[3560]
[3561]
[3562]
[3563]
[3564]
[3565]
[3566]
[3567]
[3568]
[3569]
[3570]
[3571]
[3572]
[3573]
[3574]
[3575]
[3576]
[3577]
[3578]
[3579]
[3580]
[3581]
[3582]
[3583]
[3584]
[3585]
[3586]
[3587]
[3588]
[3589]
[3590]
[3591]
[3592]
[3593]
[3594]
[3595]
[3596]
[3597]
[3598]
[3599]
[3600]
[3601]
[3602]
[3603]
[3604]
[3605]
[3606]
[3607]
[3608]
[3609]
[3610]
[3611]
[3612]
[3613]
[3614]
[3615]
[3616]
[3617]
[3618]
[3619]
[3620]
[3621]
[3622]
[3623]
[3624]
[3625]
[3626]
[3627]
[3628]
[3629]
[3630]
[3631]
[3632]
[3633]
[3634]
[3635]
[3636]
[3637]
[3638]
[3639]
[3640]
[3641]
[3642]
[3643]
[3644]
[3645]
[3646]
[3647]
[3648]
[3649]
[3650]
[3651]
[3652]
[3653]
[3654]
[3655]
[3656]
[3657]
[3658]
[3659]
[3660]
[3661]
[3662]
[3663]
[3664]
[3665]
[3666]
[3667]
[3668]
[3669]
[3670]
[3671]
[3672]
[3673]
[3674]
[3675]
[3676]
[3677]
[3678]
[3679]
[3680]
[3681]
[3682]
[3683]
[3684]
[3685]
[3686]
[3687]
[3688]
[3689]
[3690]
[3691]
[3692]
[3693]
[3694]
[3695]
[3696]
[3697]
[3698]
[3699]
[3700]
[3701]
[3702]
[3703]
[3704]
[3705]
[3706]
[3707]
[3708]
[3709]
[3710]
[3711]
[3712]
[3713]
[3714]
[3715]
[3716]
[3717]
[3718]
[3719]
[3720]
[3721]
[3722]
[3723]
[3724]
[3725]
[3726]
[3727]
[3728]
[3729]
[3730]
[3731]
[3732]
[3733]
[3734]
[3735]
[3736]
[3737]
[3738]
[3739]
[3740]
[3741]
[3742]
[3743]
[3744]
[3745]
[3746]
[3747]
[3748]
[3749]
[3750]
[3751]
[3752]
[3753]
[3754]
[3755]
[3756]
[3757]
[3758]
[3759]
[3760]
[3761]
[3762]
[3763]
[3764]
[3765]
[3766]
[3767]
[3768]
[3769]
[3770]
[3771]
[3772]
[3773]
[3774]
[3775]
[3776]
[3777]
[3778]
[3779]
[3780]
[3781]
[3782]
[3783]
[3784]
[3785]
[3786]
[3787]
[3788]
[3789]
[3790]
[3791]
[3792]
[3793]
[3794]
[3795]
[3796]
[3797]
[3798]
[3799]
[3800]
[3801]
[3802]
[3803]
[3804]
[3805]
[3806]
[3807]
[3808]
[3809]
[3810]
[3811]
[3812]
[3813]
[3814]
[3815]
[3816]
[3817]
[3818]
[3819]
[3820]
[3821]
[3822]
[3823]
[3824]
[3825]
[3826]
[3827]
[3828]
[3829]
[3830]
[3831]
[3832]
[3833]
[3834]
[3835]
[3836]
[3837]
[3838]
[3839]
[3840]
[3841]
[3842]
[3843]
[3844]
[3845]
[3846]
[3847]
[3848]
[3849]
[3850]
[3851]
[3852]
[3853]
[3854]
[3855]
[3856]
[3857]
[3858]
[3859]
[3860]
[3861]
[3862]
[3863]
[3864]
[3865]
[3866]
[3867]
[3868]
[3869]
[3870]
[3871]
[3872]
[3873]
[3874]
[3875]
[3876]
[3877]
[3878]
[3879]
[3880]
[3881]
[3882]
[3883]
[3884]
[3885]
[3886]
[3887]
[3888]
[3889]
[3890]
[3891]
[3892]
[3893]
[3894]
[3895]
[3896]
[3897]
[3898]
[3899]
[3900]
[3901]
[3902]
[3903]
[3904]
[3905]
[3906]
[3907]
[3908]
[3909]
[3910]
[3911]
[3912]
[3913]
[3914]
[3915]
[3916]
[3917]
[3918]
[3919]
[3920]
[3921]
[3922]
[3923]
[3924]
[3925]
[3926]
[3927]
[3928]
[3929]
[3930]
[3931]
[3932]
[3933]
[3934]
[3935]
[3936]
[3937]
[3938]
[3939]
[3940]
[3941]
[3942]
[3943]
[3944]
[3945]
[3946]
[3947]
[3948]
[3949]
[3950]
[3951]
[3952]
[3953]
[3954]
[3955]
[3956]
[3957]
[3958]
[3959]
[3960]
[3961]
[3962]
[3963]
[3964]
[3965]
[3966]
[3967]
[3968]
[3969]
[3970]
[3971]
[3972]
[3973]
[3974]
[3975]
[3976]
[3977]
[3978]
[3979]
[3980]
[3981]
[3982]
[3983]
[3984]
[3985]
[3986]
[3987]
[3988]
[3989]
[3990]
[3991]
[3992]
[3993]
[3994]
[3995]
[3996]
[3997]
[3998]
[3999]
[4000]
[4001]
[4002]
[4003]
[4004]
[4005]
[4006]
[4007]
[4008]
[4009]
[4010]
[4011]
[4012]
[4013]
[4014]
[4015]
[4016]
[4017]
[4018]
[4019]
[4020]
[4021]
[4022]
[4023]
[4024]
[4025]
[4026]
[4027]
[4028]
[4029]
[4030]
[4031]
[4032]
[4033]
[4034]
[4035]
[4036]
[4037]
[4038]
[4039]
[4040]
[4041]
[4042]
[4043]
[4044]
[4045]
[4046]
[4047]
[4048]
[4049]
[4050]
[4051]
[4052]
[4053]
[4054]
[4055]
[4056]
[4057]
[4058]
[4059]
[4060]
[4061]
[4062]
[4063]
[4064]
[4065]
[4066]
[4067]
[4068]
[4069]
[4070]
[4071]
[4072]
[4073]
[4074]
[4075]
[4076]
[4077]
[4078]
[4079]
[4080]
[4081]
[4082]
[4083]
[4084]
[4085]
[4086]
[4087]
[4088]
[4089]
[4090]
[4091]
[4092]
[4093]
[4094]
[4095]
[4096]
[4097]
[4098]
[4099]
[4100]
[4101]
[4102]
[4103]
[4104]
[4105]
[4106]
[4107]
[4108]
[4109]
[4110]
[4111]
[4112]
[4113]
[4114]
[4115]
[4116]
[4117]
[4118]
[4119]
[4120]
[4121]
[4122]
[4123]
[4124]
[4125]
[4126]
[4127]
[4128]
[4129]
[4130]
[4131]
[4132]
[4133]
[4134]
[4135]
[4136]
[4137]
[4138]
[4139]
[4140]
[4141]
[4142]
[4143]
[4144]
[4145]
[4146]
[4147]
[4148]
[4149]
[4150]
[4151]
[4152]
[4153]
[4154]
[4155]
[4156]
[4157]
[4158]
[4159]
[4160]
[4161]
[4162]
[4163]
[4164]
[4165]
[4166]
[4167]
[4168]
[4169]
[4170]
[4171]
[4172]
[4173]
[4174]
[4175]
[4176]
[4177]
[4178]
[4179]
[4180]
[4181]
[4182]
[4183]
[4184]
[4185]
[4186]
[4187]
[4188]
[4189]
[4190]
[4191]
[4192]
[4193]
[4194]
[4195]
[4196]
[4197]
[4198]
[4199]
[4200]
[4201]
[4202]
[4203]
[4204]
[4205]
[4206]
[4207]
[4208]
[4209]
[4210]
[4211]
[4212]
[4213]
[4214]
[4215]
[4216]
[4217]
[4218]
[4219]
[4220]
[4221]
[4222]
[4223]
[4224]
[4225]
[4226]
[4227]
[4228]
[4229]
[4230]
[4231]
[4232]
[4233]
[4234]
[4235]
[4236]
[4237]
[4238]
[4239]
[4240]
[4241]
[4242]
[4243]
[4244]
[4245]
[4246]
[4247]
[4248]
[4249]
[4250]
[4251]
[4252]
[4253]
[4254]
[4255]
[4256]
[4257]
[4258]
[4259]
[4260]
[4261]
[4262]
[4263]
[4264]
[4265]
[4266]
[4267]
[4268]
[4269]
[4270]
[4271]
[4272]
[4273]
[4274]
[4275]
[4276]
[4277]
[4278]
[4279]
[4280]
[4281]
[4282]
[4283]
[4284]
[4285]
[4286]
[4287]
[4288]
[4289]
[4290]
[4291]
[4292]
[4293]
[4294]
[4295]
[4296]
[4297]
[4298]
[4299]
[4300]
[4301]
[4302]
[4303]
[4304]
[4305]
[4306]
[4307]
[4308]
[4309]
[4310]
[4311]
[4312]
[4313]
[4314]
[4315]
[4316]
[4317]
[4318]
[4319]
[4320]
[4321]
[4322]
[4323]
[4324]
[4325]
[4326]
[4327]
[4328]
[4329]
[4330]
[4331]
[4332]
[4333]
[4334]
[4335]
[4336]
[4337]
[4338]
[4339]
[4340]
[4341]
[4342]
[4343]
[4344]
[4345]
[4346]
[4347]
[4348]
[4349]
[4350]
[4351]
[4352]
[4353]
[4354]
[4355]
[4356]
[4357]
[4358]
[4359]
[4360]
[4361]
[4362]
[4363]
[4364]
[4365]
[4366]
[4367]
[4368]
[4369]
[4370]
[4371]
[4372]
[4373]
[4374]
[4375]
[4376]
[4377]
[4378]
[4379]
[4380]
[4381]
[4382]
[4383]
[4384]
[4385]
[4386]
[4387]
[4388]
[4389]
[4390]
[4391]
[4392]
[4393]
[4394]
[4395]
[4396]
[4397]
[4398]
[4399]
[4400]
[4401]
[4402]
[4403]
[4404]
[4405]
[4406]
[4407]
[4408]
[4409]
[4410]
[4411]
[4412]
[4413]
[4414]
[4415]
[4416]
[4417]
[4418]
[4419]
[4420]
[4421]
[4422]
[4423]
[4424]
[4425]
[4426]
[4427]
[4428]
[4429]
[4430]
[4431]
[4432]
[4433]
[4434]
[4435]
[4436]
[4437]
[4438]
[4439]
[4440]
[4441]
[4442]
[4443]
[4444]
[4445]
[4446]
[4447]
[4448]
[4449]
[4450]
[4451]
[4452]
[4453]
[4454]
[4455]
[4456]
[4457]
[4458]
[4459]
[4460]
[4461]
[4462]
[4463]
[4464]
[4465]
[4466]
[4467]
[4468]
[4469]
[4470]
[4471]
[4472]
[4473]
[4474]
[4475]
[4476]
[4477]
[4478]
[4479]
[4480]
[4481]
[4482]
[4483]
[4484]
[4485]
[4486]
[4487]
[4488]
[4489]
[4490]
[4491]
[4492]
[4493]
[4494]
[4495]
[4496]
[4497]
[4498]
[4499]
[4500]
[4501]
[4502]
[4503]
[4504]
[4505]
[4506]
[4507]
[4508]
[4509]
[4510]
[4511]
[4512]
[4513]
[4514]
[4515]
[4516]
[4517]
[4518]
[4519]
[4520]
[4521]
[4522]
[4523]
[4524]
[4525]
[4526]
[4527]
[4528]
[4529]
[4530]
[4531]
[4532]
[4533]
[4534]
[4535]
[4536]
[4537]
[4538]
[4539]
[4540]
[4541]
[4542]
[4543]
[4544]
[4545]
[4546]
[4547]
[4548]
[4549]
[4550]
[4551]
[4552]
[4553]
[4554]
[4555]
[4556]
[4557]
[4558]
[4559]
[4560]
[4561]
[4562]
[4563]
[4564]
[4565]
[4566]
[4567]
[4568]
[4569]
[4570]
[4571]
[4572]
[4573]
[4574]
[4575]
[4576]
[4577]
[4578]
[4579]
[4580]
[4581]
[4582]
[4583]
[4584]
[4585]
[4586]
[4587]
[4588]
[4589]
[4590]
[4591]
[4592]
[4593]
[4594]
[4595]
[4596]
[4597]
[4598]
[4599]
[4600]
[4601]
[4602]
[4603]
[4604]
[4605]
[4606]
[4607]
[4608]
[4609]
[4610]
[4611]
[4612]
[4613]
[4614]
[4615]
[4616]
[4617]
[4618]
[4619]
[4620]
[4621]
[4622]
[4623]
[4624]
[4625]
[4626]
[4627]
[4628]
[4629]
[4630]
[4631]
[4632]
[4633]
[4634]
[4635]
[4636]
[4637]
[4638]
[4639]
[4640]
[4641]
[4642]
[4643]
[4644]
[4645]
[4646]
[4647]
[4648]
[4649]
[4650]
[4651]
[4652]
[4653]
[4654]
[4655]
[4656]
[4657]
[4658]
[4659]
[4660]
[4661]
[4662]
[4663]
[4664]
[4665]
[4666]
[4667]
[4668]
[4669]
[4670]
[4671]
[4672]
[4673]
[4674]
[4675]
[4676]
[4677]
[4678]
[4679]
[4680]
[4681]
[4682]
[4683]
[4684]
[4685]
[4686]
[4687]
[4688]
[4689]
[4690]
[4691]
[4692]
[4693]
[4694]
[4695]
[4696]
[4697]
[4698]
[4699]
[4700]
[4701]
[4702]
[4703]
[4704]
[4705]
[4706]
[4707]
[4708]
[4709]
[4710]
[4711]
[4712]
[4713]
[4714]
[4715]
[4716]
[4717]
[4718]
[4719]
[4720]
[4721]
[4722]
[4723]
[4724]
[4725]
[4726]
[4727]
[4728]
[4729]
[4730]
[4731]
[4732]
[4733]
[4734]
[4735]
[4736]
[4737]
[4738]
[4739]
[4740]
[4741]
[4742]
[4743]
[4744]
[4745]
[4746]
[4747]
[4748]
[4749]
[4750]
[4751]
[4752]
[4753]
[4754]
[4755]
[4756]
[4757]
[4758]
[4759]
[4760]
[4761]
[4762]
[4763]
[4764]
[4765]
[4766]
[4767]
[4768]
[4769]
[4770]
[4771]
[4772]
[4773]
[4774]
[4775]
[4776]
[4777]
[4778]
[4779]
[4780]
[4781]
[4782]
[4783]
[4784]
[4785]
[4786]
[4787]
[4788]
[4789]
[4790]
[4791]
[4792]
[4793]
[4794]
[4795]
[4796]
[4797]
[4798]
[4799]
[4800]
[4801]
[4802]
[4803]
[4804]
[4805]
[4806]
[4807]
[4808]
[4809]
[4810]
[4811]
[4812]
[4813]
[4814]
[4815]
[4816]
[4817]
[4818]
[4819]
[4820]
[4821]
[4822]
[4823]
[4824]
[4825]
[4826]
[4827]
[4828]
[4829]
[4830]
[4831]
[4832]
[4833]
[4834]
[4835]
[4836]
[4837]
[4838]
[4839]
[4840]
[4841]
[4842]
[4843]
[4844]
[4845]
[4846]
[4847]
[4848]
[4849]
[4850]
[4851]
[4852]
[4853]
[4854]
[4855]
[4856]
[4857]
[4858]
[4859]
[4860]
[4861]
[4862]
[4863]
[4864]
[4865]
[4866]
[4867]
[4868]
[4869]
[4870]
[4871]
[4872]
[4873]
[4874]
[4875]
[4876]
[4877]
[4878]
[4879]
[4880]
[4881]
[4882]
[4883]
[4884]
[4885]
[4886]
[4887]
[4888]
[4889]
[4890]
[4891]
[4892]
[4893]
[4894]
[4895]
[4896]
[4897]
[4898]
[4899]
[4900]
[4901]
[4902]
[4903]
[4904]
[4905]
[4906]
[4907]
[4908]
[4909]
[4910]
[4911]
[4912]
[4913]
[4914]
[4915]
[4916]
[4917]
[4918]
[4919]
[4920]
[4921]
[4922]
[4923]
[4924]
[4925]
[4926]
[4927]
[4928]
[4929]
[4930]
[4931]
[4932]
[4933]
[4934]
[4935]
[4936]
[4937]
[4938]
[4939]
[4940]
[4941]
[4942]
[4943]
[4944]
[4945]
[4946]
[4947]
[4948]
[4949]
[4950]
[4951]
[4952]
[4953]
[4954]
[4955]
[4956]
[4957]
[4958]
[4959]
[4960]
[4961]
[4962]
[4963]
[4964]
[4965]
[4966]
[4967]
[4968]
[4969]
[4970]
[4971]
[4972]
[4973]
[4974]
[4975]
[4976]
[4977]
[4978]
[4979]
[4980]
[4981]
[4982]
[4983]
[4984]
[4985]
[4986]
[4987]
[4988]
[4989]
[4990]
[4991]
[4992]
[4993]
[4994]
[4995]
[4996]
[4997]
[4998]
[4999]
[5000]
[5001]
[5002]
[5003]
[5004]
[5005]
[5006]
[5007]
[5008]
[5009]
[5010]
[5011]
[5012]
[5013]
[5014]
[5015]
[5016]
[5017]
[5018]
[5019]
[5020]
[5021]
[5022]
[5023]
[5024]
[5025]
[5026]
[5027]
[5028]
[5029]
[5030]
[5031]
[5032]
[5033]
[5034]
[5035]
[5036]
[5037]
[5038]
[5039]
[5040]
[5041]
[5042]
[5043]
[5044]
[5045]
[5046]
[5047]
[5048]
[5049]
[5050]
[5051]
[5052]
[5053]
[5054]
[5055]
[5056]
[5057]
[5058]
[5059]
[5060]
[5061]
[5062]
[5063]
[5064]
[5065]
[5066]
[5067]
[5068]
[5069]
[5070]
[5071]
[5072]
[5073]
[5074]
[5075]
[5076]
[5077]
[5078]
[5079]
[5080]
[5081]
[5082]
[5083]
[5084]
[5085]
[5086]
[5087]
[5088]
[5089]
[5090]
[5091]
[5092]
[5093]
[5094]
[5095]
[5096]
[5097]
[5098]
[5099]
[5100]
[5101]
[5102]
[5103]
[5104]
[5105]
[5106]
[5107]
[5108]
[5109]
[5110]
[5111]
[5112]
[5113]
[5114]
[5115]
[5116]
[5117]
[5118]
[5119]
[5120]
[5121]
[5122]
[5123]
[5124]
[5125]
[5126]
[5127]
[5128]
[5129]
[5130]
[5131]
[5132]
[5133]
[5134]
[5135]
[5136]
[5137]
[5138]
[5139]
[5140]
[5141]
[5142]
[5143]
[5144]
[5145]
[5146]
[5147]
[5148]
[5149]
[5150]
[5151]
[5152]
[5153]
[5154]
[5155]
[5156]
[5157]
[5158]
[5159]
[5160]
[5161]
[5162]
[5163]
[5164]
[5165]
[5166]
[5167]
[5168]
[5169]
[5170]
[5171]
[5172]
[5173]
[5174]
[5175]
[5176]
[5177]
[5178]
[5179]
[5180]
[5181]
[5182]
[5183]
[5184]
[5185]
[5186]
[5187]
[5188]
[5189]
[5190]
[5191]
[5192]
[5193]
[5194]
[5195]
[5196]
[5197]
[5198]
[5199]
[5200]
[5201]
[5202]
[5203]
[5204]
[5205]
[5206]
[5207]
[5208]
[5209]
[5210]
[5211]
[5212]
[5213]
[5214]
[5215]
[5216]
[5217]
[5218]
[5219]
[5220]
[5221]
[5222]
[5223]
[5224]
[5225]
[5226]
[5227]
[5228]
[5229]
[5230]
[5231]
[5232]
[5233]
[5234]
[5235]
[5236]
[5237]
[5238]
[5239]
[5240]
[5241]
[5242]
[5243]
[5244]
[5245]
[5246]
[5247]
[5248]
[5249]
[5250]
[5251]
[5252]
[5253]
[5254]
[5255]
[5256]
[5257]
[5258]
[5259]
[5260]
[5261]
[5262]
[5263]
[5264]
[5265]
[5266]
[5267]
[5268]
[5269]
[5270]
[5271]
[5272]
[5273]
[5274]
[5275]
[5276]
[5277]
[5278]
[5279]
[5280]
[5281]
[5282]
[5283]
[5284]
[5285]
[5286]
[5287]
[5288]
[5289]
[5290]
[5291]
[5292]
[5293]
[5294]
[5295]
[5296]
[5297]
[5298]
[5299]
[5300]
[5301]
[5302]
[5303]
[5304]
[5305]
[5306]
[5307]
[5308]
[5309]
[5310]
[5311]
[5312]
[5313]
[5314]
[5315]
[5316]
[5317]
[5318]
[5319]
[5320]
[5321]
[5322]
[5323]
[5324]
[5325]
[5326]
[5327]
[5328]
[5329]
[5330]
[5331]
[5332]
[5333]
[5334]
[5335]
[5336]
[5337]
[5338]
[5339]
[5340]
[5341]
[5342]
[5343]
[5344]
[5345]
[5346]
[5347]
[5348]
[5349]
[5350]
[5351]
[5352]
[5353]
[5354]
[5355]
[5356]
[5357]
[5358]
[5359]
[5360]
[5361]
[5362]
[5363]
[5364]
[5365]
[5366]
[5367]
[5368]
[5369]
[5370]
[5371]
[5372]
[5373]
[5374]
[5375]
[5376]
[5377]
[5378]
[5379]
[5380]
[5381]
[5382]
[5383]
[5384]
[5385]
[5386]
[5387]
[5388]
[5389]
[5390]
[5391]
[5392]
[5393]
[5394]
[5395]
[5396]
[5397]
[5398]
[5399]
[5400]
[5401]
[5402]
[5403]
[5404]
[5405]
[5406]
[5407]
[5408]
[5409]
[5410]
[5411]
[5412]
[5413]
[5414]
[5415]
[5416]
[5417]
[5418]
[5419]
[5420]
[5421]
[5422]
[5423]
[5424]
[5425]
[5426]
[5427]
[5428]
[5429]
[5430]
[5431]
[5432]
[5433]
[5434]
[5435]
[5436]
[5437]
[5438]
[5439]
[5440]
[5441]
[5442]
[5443]
[5444]
[5445]
[5446]
[5447]
[5448]
[5449]
[5450]
[5451]
[5452]
[5453]
[5454]
[5455]
[5456]
[5457]
[5458]
[5459]
[5460]
[5461]
[5462]
[5463]
[5464]
[5465]
[5466]
[5467]
[5468]
[5469]
[5470]
[5471]
[5472]
[5473]
[5474]
[5475]
[5476]
[5477]
[5478]
[5479]
[5480]
[5481]
[5482]
[5483]
[5484]
[5485]
[5486]
[5487]
[5488]
[5489]
[5490]
[5491]
[5492]
[5493]
[5494]
[5495]
[5496]
[5497]
[5498]
[5499]
[5500]
[5501]
[5502]
[5503]
[5504]
[5505]
[5506]
[5507]
[5508]
[5509]
[5510]
[5511]
[5512]
[5513]
[5514]
[5515]
[5516]
[5517]
[5518]
[5519]
[5520]
[5521]
[5522]
[5523]
[5524]
[5525]
[5526]
[5527]
[5528]
[5529]
[5530]
[5531]
[5532]
[5533]
[5534]
[5535]
[5536]
[5537]
[5538]
[5539]
[5540]
[5541]
[5542]
[5543]
[5544]
[5545]
[5546]
[5547]
[5548]
[5549]
[5550]
[5551]
[5552]
[5553]
[5554]
[5555]
[5556]
[5557]
[5558]
[5559]
[5560]
[5561]
[5562]
[5563]
[5564]
[5565]
[5566]
[5567]
[5568]
[5569]
[5570]
[5571]
[5572]
[5573]
[5574]
[5575]
[5576]
[5577]
[5578]
[5579]
[5580]
[5581]
[5582]
[5583]
[5584]
[5585]
[5586]
[5587]
[5588]
[5589]
[5590]
[5591]
[5592]
[5593]
[5594]
[5595]
[5596]
[5597]
[5598]
[5599]
[5600]
[5601]
[5602]
[5603]
[5604]
[5605]
[5606]
[5607]
[5608]
[5609]
[5610]
[5611]
[5612]
[5613]
[5614]
[5615]
[5616]
[5617]
[5618]
[5619]
[5620]
[5621]
[5622]
[5623]
[5624]
[5625]
[5626]
[5627]
[5628]
[5629]
[5630]
[5631]
[5632]
[5633]
[5634]
[5635]
[5636]
[5637]
[5638]
[5639]
[5640]
[5641]
[5642]
[5643]
[5644]
[5645]
[5646]
[5647]
[5648]
[5649]
[5650]
[5651]
[5652]
[5653]
[5654]
[5655]
[5656]
[5657]
[5658]
[5659]
[5660]
[5661]
[5662]
[5663]
[5664]
[5665]
[5666]
[5667]
[5668]
[5669]
[5670]
[5671]
[5672]
[5673]
[5674]
[5675]
[5676]
[5677]
[5678]
[5679]
[5680]
[5681]
[5682]
[5683]
[5684]
[5685]
[5686]
[5687]
[5688]
[5689]
[5690]
[5691]
[5692]
[5693]
[5694]
[5695]
[5696]
[5697]
[5698]
[5699]
[5700]
[5701]
[5702]
[5703]
[5704]
[5705]
[5706]
[5707]
[5708]
[5709]
[5710]
[5711]
[5712]
[5713]
[5714]
[5715]
[5716]
[5717]
[5718]
[5719]
[5720]
[5721]
[5722]
[5723]
[5724]
[5725]
[5726]
[5727]
[5728]
[5729]
[5730]
[5731]
[5732]
[5733]
[5734]
[5735]
[5736]
[5737]
[5738]
[5739]
[5740]
[5741]
[5742]
[5743]
[5744]
[5745]
[5746]
[5747]
[5748]
[5749]
[5750]
[5751]
[5752]
[5753]
[5754]
[5755]
[5756]
[5757]
[5758]
[5759]
[5760]
[5761]
[5762]
[5763]
[5764]
[5765]
[5766]
[5767]
[5768]
[5769]
[5770]
[5771]
[5772]
[5773]
[5774]
[5775]
[5776]
[5777]
[5778]
[5779]
[5780]
[5781]
[5782]
[5783]
[5784]
[5785]
[5786]
[5787]
[5788]
[5789]
[5790]
[5791]
[5792]
[5793]
[5794]
[5795]
[5796]
[5797]
[5798]
[5799]
[5800]
[5801]
[5802]
[5803]
[5804]
[5805]
[5806]
[5807]
[5808]
[5809]
[5810]
[5811]
[5812]
[5813]
[5814]
[5815]
[5816]
[5817]
[5818]
[5819]
[5820]
[5821]
[5822]
[5823]
[5824]
[5825]
[5826]
[5827]
[5828]
[5829]
[5830]
[5831]
[5832]
[5833]
[5834]
[5835]
[5836]
[5837]
[5838]
[5839]
[5840]
[5841]
[5842]
[5843]
[5844]
[5845]
[5846]
[5847]
[5848]
[5849]
[5850]
[5851]
[5852]
[5853]
[5854]
[5855]
[5856]
[5857]
[5858]
[5859]
[5860]
[5861]
[5862]
[5863]
[5864]
[5865]
[5866]
[5867]
[5868]
[5869]
[5870]
[5871]
[5872]
[5873]
[5874]
[5875]
[5876]
[5877]
[5878]
[5879]
[5880]
[5881]
[5882]
[5883]
[5884]
[5885]
[5886]
[5887]
[5888]
[5889]
[5890]
[5891]
[5892]
[5893]
[5894]
[5895]
[5896]
[5897]
[5898]
[5899]
[5900]
[5901]
[5902]
[5903]
[5904]
[5905]
[5906]
[5907]
[5908]
[5909]
[5910]
[5911]
[5912]
[5913]
[5914]
[5915]
[5916]
[5917]
[5918]
[5919]
[5920]
[5921]
[5922]
[5923]
[5924]
[5925]
[5926]
[5927]
[5928]
[5929]
[5930]
[5931]
[5932]
[5933]
[5934]
[5935]
[5936]
[5937]
[5938]
[5939]
[5940]
[5941]
[5942]
[5943]
[5944]
[5945]
[5946]
[5947]
[5948]
[5949]
[5950]
[5951]
[5952]
[5953]
[5954]
[5955]
[5956]
[5957]
[5958]
[5959]
[5960]
[5961]
[5962]
[5963]
[5964]
[5965]
[5966]
[5967]
[5968]
[5969]
[5970]
[5971]
[5972]
[5973]
[5974]
[5975]
[5976]
[5977]
[5978]
[5979]
[5980]
[5981]
[5982]
[5983]
[5984]
[5985]
[5986]
[5987]
[5988]
[5989]
[5990]
[5991]
[5992]
[5993]
[5994]
[5995]
[5996]
[5997]
[5998]
[5999]
[6000]
[6001]
[6002]
[6003]
[6004]
[6005]
[6006]
[6007]
[6008]
[6009]
[6010]
[6011]
[6012]
[6013]
[6014]
[6015]
[6016]
[6017]
[6018]
[6019]
[6020]
[6021]
[6022]
[6023]
[6024]
[6025]
[6026]
[6027]
[6028]
[6029]
[6030]
[6031]
[6032]
[6033]
[6034]
[6035]
[6036]
[6037]
[6038]
[6039]
[6040]
[6041]
[6042]
[6043]
[6044]
[6045]
[6046]
[6047]
[6048]
[6049]
[6050]
[6051]
[6052]
[6053]
[6054]
[6055]
[6056]
[6057]
[6058]
[6059]
[6060]
[6061]
[6062]
[6063]
[6064]
[6065]
[6066]
[6067]
[6068]
[6069]
[6070]
[6071]
[6072]
[6073]
[6074]
[6075]
[6076]
[6077]
[6078]
[6079]
[6080]
[6081]
[6082]
[6083]
[6084]
[6085]
[6086]
[6087]
[6088]
[6089]
[6090]
[6091]
[6092]
[6093]
[6094]
[6095]
[6096]
[6097]
[6098]
[6099]
[6100]
[6101]
[6102]
[6103]
[6104]
[6105]
[6106]
[6107]
[6108]
[6109]
[6110]
[6111]
[6112]
[6113]
[6114]
[6115]
[6116]
[6117]
[6118]
[6119]
[6120]
[6121]
[6122]
[6123]
[6124]
[6125]
[6126]
[6127]
[6128]
[6129]
[6130]
[6131]
[6132]
[6133]
[6134]
[6135]
[6136]
[6137]
[6138]
[6139]
[6140]
[6141]
[6142]
[6143]
[6144]
[6145]
[6146]
[6147]
[6148]
[6149]
[6150]
[6151]
[6152]
[6153]
[6154]
[6155]
[6156]
[6157]
[6158]
[6159]
[6160]
[6161]
[6162]
[6163]
[6164]
[6165]
[6166]
[6167]
[6168]
[6169]
[6170]
[6171]
[6172]
[6173]
[6174]
[6175]
[6176]
[6177]
[6178]
[6179]
[6180]
[6181]
[6182]
[6183]
[6184]
[6185]
[6186]
[6187]
[6188]
[6189]
[6190]
[6191]
[6192]
[6193]
[6194]
[6195]
[6196]
[6197]
[6198]
[6199]
[6200]
[6201]
[6202]
[6203]
[6204]
[6205]
[6206]
[6207]
[6208]
[6209]
[6210]
[6211]
[6212]
[6213]
[6214]
[6215]
[6216]
[6217]
[6218]
[6219]
[6220]
[6221]
[6222]
[6223]
[6224]
[6225]
[6226]
[6227]
[6228]
[6229]
[6230]
[6231]
[6232]
[6233]
[6234]
[6235]
[6236]
[6237]
[6238]
[6239]
[6240]
[6241]
[6242]
[6243]
[6244]
[6245]
[6246]
[6247]
[6248]
[6249]
[6250]
[6251]
[6252]
[6253]
[6254]
[6255]
[6256]
[6257]
[6258]
[6259]
[6260]
[6261]
[6262]
[6263]
[6264]
[6265]
[6266]
[6267]
[6268]
[6269]
[6270]
[6271]
[6272]
[6273]
[6274]
[6275]
[6276]
[6277]
[6278]
[6279]
[6280]
[6281]
[6282]
[6283]
[6284]
[6285]
[6286]
[6287]
[6288]
[6289]
[6290]
[6291]
[6292]
[6293]
[6294]
[6295]
[6296]
[6297]
[6298]
[6299]
[6300]
[6301]
[6302]
[6303]
[6304]
[6305]
[6306]
[6307]
[6308]
[6309]
[6310]
[6311]
[6312]
[6313]
[6314]
[6315]
[6316]
[6317]
[6318]
[6319]
[6320]
[6321]
[6322]
[6323]
[6324]
[6325]
[6326]
[6327]
[6328]
[6329]
[6330]
[6331]
[6332]
[6333]
[6334]
[6335]
[6336]
[6337]
[6338]
[6339]
[6340]
[6341]
[6342]
[6343]
[6344]
[6345]
[6346]
[6347]
[6348]
[6349]
[6350]
[6351]
[6352]
[6353]
[6354]
[6355]
[6356]
[6357]
[6358]
[6359]
[6360]
[6361]
[6362]
[6363]
[6364]
[6365]
[6366]
[6367]
[6368]
[6369]
[6370]
[6371]
[6372]
[6373]
[6374]
[6375]
[6376]
[6377]
[6378]
[6379]
[6380]
[6381]
[6382]
[6383]
[6384]
[6385]
[6386]
[6387]
[6388]
[6389]
[6390]
[6391]
[6392]
[6393]
[6394]
[6395]
[6396]
[6397]
[6398]
[6399]
[6400]
[6401]
[6402]
[6403]
[6404]
[6405]
[6406]
[6407]
[6408]
[6409]
[6410]
[6411]
[6412]
[6413]
[6414]
[6415]
[6416]
[6417]
[6418]
[6419]
[6420]
[6421]
[6422]
[6423]
[6424]
[6425]
[6426]
[6427]
[6428]
[6429]
[6430]
[6431]
[6432]
[6433]
[6434]
[6435]
[6436]
[6437]
[6438]
[6439]
[6440]
[6441]
[6442]
[6443]
[6444]
[6445]
[6446]
[6447]
[6448]
[6449]
[6450]
[6451]
[6452]
[6453]
[6454]
[6455]
[6456]
[6457]
[6458]
[6459]
[6460]
[6461]
[6462]
[6463]
[6464]
[6465]
[6466]
[6467]
[6468]
[6469]
[6470]
[6471]
[6472]
[6473]
[6474]
[6475]
[6476]
[6477]
[6478]
[6479]
[6480]
[6481]
[6482]
[6483]
[6484]
[6485]
[6486]
[6487]
[6488]
[6489]
[6490]
[6491]
[6492]
[6493]
[6494]
[6495]
[6496]
[6497]
[6498]
[6499]
[6500]
[6501]
[6502]
[6503]
[6504]
[6505]
[6506]
[6507]
[6508]
[6509]
[6510]
[6511]
[6512]
[6513]
[6514]
[6515]
[6516]
[6517]
[6518]
[6519]
[6520]
[6521]
[6522]
[6523]
[6524]
[6525]
[6526]
[6527]
[6528]
[6529]
[6530]
[6531]
[6532]
[6533]
[6534]
[6535]
[6536]
[6537]
[6538]
[6539]
[6540]
[6541]
[6542]
[6543]
[6544]
[6545]
[6546]
[6547]
[6548]
[6549]
[6550]
[6551]
[6552]
[6553]
[6554]
[6555]
[6556]
[6557]
[6558]
[6559]
[6560]
[6561]
[6562]
[6563]
[6564]
[6565]
[6566]
[6567]
[6568]
[6569]
[6570]
[6571]
[6572]
[6573]
[6574]
[6575]
[6576]
[6577]
[6578]
[6579]
[6580]
[6581]
[6582]
[6583]
[6584]
[6585]
[6586]
[6587]
[6588]
[6589]
[6590]
[6591]
[6592]
[6593]
[6594]
[6595]
[6596]
[6597]
[6598]
[6599]
[6600]
[6601]
[6602]
[6603]
[6604]
[6605]
[6606]
[6607]
[6608]
[6609]
[6610]
[6611]
[6612]
[6613]
[6614]
[6615]
[6616]
[6617]
[6618]
[6619]
[6620]
[6621]
[6622]
[6623]
[6624]
[6625]
[6626]
[6627]
[6628]
[6629]
[6630]
[6631]
[6632]
[6633]
[6634]
[6635]
[6636]
[6637]
[6638]
[6639]
[6640]
[6641]
[6642]
[6643]
[6644]
[6645]
[6646]
[6647]
[6648]
[6649]
[6650]
[6651]
[6652]
[6653]
[6654]
[6655]
[6656]
[6657]
[6658]
[6659]
[6660]
[6661]
[6662]
[6663]
[6664]
[6665]
[6666]
[6667]
[6668]
[6669]
[6670]
[6671]
[6672]
[6673]
[6674]
[6675]
[6676]
[6677]
[6678]
[6679]
[6680]
[6681]
[6682]
[6683]
[6684]
[6685]
[6686]
[6687]
[6688]
[6689]
[6690]
[6691]
[6692]
[6693]
[6694]
[6695]
[6696]
[6697]
[6698]
[6699]
[6700]
[6701]
[6702]
[6703]
[6704]
[6705]
[6706]
[6707]
[6708]
[6709]
[6710]
[6711]
[6712]
[6713]
[6714]
[6715]
[6716]
[6717]
[6718]
[6719]
[6720]
[6721]
[6722]
[6723]
[6724]
[6725]
[6726]
[6727]
[6728]
[6729]
[6730]
[6731]
[6732]
[6733]
[6734]
[6735]
[6736]
[6737]
[6738]
[6739]
[6740]
[6741]
[6742]
[6743]
[6744]
[6745]
[6746]
[6747]
[6748]
[6749]
[6750]
[6751]
[6752]
[6753]
[6754]
[6755]
[6756]
[6757]
[6758]
[6759]
[6760]
[6761]
[6762]
[6763]
[6764]
[6765]
[6766]
[6767]
[6768]
[6769]
[6770]
[6771]
[6772]
[6773]
[6774]
[6775]
[6776]
[6777]
[6778]
[6779]
[6780]
[6781]
[6782]
[6783]
[6784]
[6785]
[6786]
[6787]
[6788]
[6789]
[6790]
[6791]
[6792]
[6793]
[6794]
[6795]
[6796]
[6797]
[6798]
[6799]
[6800]
[6801]
[6802]
[6803]
[6804]
[6805]
[6806]
[6807]
[6808]
[6809]
[6810]
[6811]
[6812]
[6813]
[6814]
[6815]
[6816]
[6817]
[6818]
[6819]
[6820]
[6821]
[6822]
[6823]
[6824]
[6825]
[6826]
[6827]
[6828]
[6829]
[6830]
[6831]
[6832]
[6833]
[6834]
[6835]
[6836]
[6837]
[6838]
[6839]
[6840]
[6841]
[6842]
[6843]
[6844]
[6845]
[6846]
[6847]
[6848]
[6849]
[6850]
[6851]
[6852]
[6853]
[6854]
[6855]
[6856]
[6857]
[6858]
[6859]
[6860]
[6861]
[6862]
[6863]
[6864]
[6865]
[6866]
[6867]
[6868]
[6869]
[6870]
[6871]
[6872]
[6873]
[6874]
[6875]
[6876]
[6877]
[6878]
[6879]
[6880]
[6881]
[6882]
[6883]
[6884]
[6885]
[6886]
[6887]
[6888]
[6889]
[6890]
[6891]
[6892]
[6893]
[6894]
[6895]
[6896]
[6897]
[6898]
[6899]
[6900]
[6901]
[6902]
[6903]
[6904]
[6905]
[6906]
[6907]
[6908]
[6909]
[6910]
[6911]
[6912]
[6913]
[6914]
[6915]
[6916]
[6917]
[6918]
[6919]
[6920]
[6921]
[6922]
[6923]
[6924]
[6925]
[6926]
[6927]
[6928]
[6929]
[6930]
[6931]
[6932]
[6933]
[6934]
[6935]
[6936]
[6937]
[6938]
[6939]
[6940]
[6941]
[6942]
[6943]
[6944]
[6945]
[6946]
[6947]
[6948]
[6949]
[6950]
[6951]
[6952]
[6953]
[6954]
[6955]
[6956]
[6957]
[6958]
[6959]
[6960]
[6961]
[6962]
[6963]
[6964]
[6965]
[6966]
[6967]
[6968]
[6969]
[6970]
[6971]
[6972]
[6973]
[6974]
[6975]
[6976]
[6977]
[6978]
[6979]
[6980]
[6981]
[6982]
[6983]
[6984]
[6985]
[6986]
[6987]
[6988]
[6989]
[6990]
[6991]
[6992]
[6993]
[6994]
[6995]
[6996]
[6997]
[6998]
[6999]
[7000]
[7001]
[7002]
[7003]
[7004]
[7005]
[7006]
[7007]
[7008]
[7009]
[7010]
[7011]
[7012]
[7013]
[7014]
[7015]
[7016]
[7017]
[7018]
[7019]
[7020]
[7021]
[7022]
[7023]
[7024]
[7025]
[7026]
[7027]
[7028]
[7029]
[7030]
[7031]
[7032]
[7033]
[7034]
[7035]
[7036]
[7037]
[7038]
[7039]
[7040]
[7041]
[7042]
[7043]
[7044]
[7045]
[7046]
[7047]
[7048]
[7049]
[7050]
[7051]
[7052]
[7053]
[7054]
[7055]
[7056]
[7057]
[7058]
[7059]
[7060]
[7061]
[7062]
[7063]
[7064]
[7065]
[7066]
[7067]
[7068]
[7069]
[7070]
[7071]
[7072]
[7073]
[7074]
[7075]
[7076]
[7077]
[7078]
[7079]
[7080]
[7081]
[7082]
[7083]
[7084]
[7085]
[7086]
[7087]
[7088]
[7089]
[7090]
[7091]
[7092]
[7093]
[7094]
[7095]
[7096]
[7097]
[7098]
[7099]
[7100]
[7101]
[7102]
[7103]
[7104]
[7105]
[7106]
[7107]
[7108]
[7109]
[7110]
[7111]
[7112]
[7113]
[7114]
[7115]
[7116]
[7117]
[7118]
[7119]
[7120]
[7121]
[7122]
[7123]
[7124]
[7125]
[7126]
[7127]
[7128]
[7129]
[7130]
[7131]
[7132]
[7133]
[7134]
[7135]
[7136]
[7137]
[7138]
[7139]
[7140]
[7141]
[7142]
[7143]
[7144]
[7145]
[7146]
[7147]
[7148]
[7149]
[7150]
[7151]
[7152]
[7153]
[7154]
[7155]
[7156]
[7157]
[7158]
[7159]
[7160]
[7161]
[7162]
[7163]
[7164]
[7165]
[7166]
[7167]
[7168]
[7169]
[7170]
[7171]
[7172]
[7173]
[7174]
[7175]
[7176]
[7177]
[7178]
[7179]
[7180]
[7181]
[7182]
[7183]
[7184]
[7185]
[7186]
[7187]
[7188]
[7189]
[7190]
[7191]
[7192]
[7193]
[7194]
[7195]
[7196]
[7197]
[7198]
[7199]
[7200]
[7201]
[7202]
[7203]
[7204]
[7205]
[7206]
[7207]
[7208]
[7209]
[7210]
[7211]
[7212]
[7213]
[7214]
[7215]
[7216]
[7217]
[7218]
[7219]
[7220]
[7221]
[7222]
[7223]
[7224]
[7225]
[7226]
[7227]
[7228]
[7229]
[7230]
[7231]
[7232]
[7233]
[7234]
[7235]
[7236]
[7237]
[7238]
[7239]
[7240]
[7241]
[7242]
[7243]
[7244]
[7245]
[7246]
[7247]
[7248]
[7249]
[7250]
[7251]
[7252]
[7253]
[7254]
[7255]
[7256]
[7257]
[7258]
[7259]
[7260]
[7261]
[7262]
[7263]
[7264]
[7265]
[7266]
[7267]
[7268]
[7269]
[7270]
[7271]
[7272]
[7273]
[7274]
[7275]
[7276]
[7277]
[7278]
[7279]
[7280]
[7281]
[7282]
[7283]
[7284]
[7285]
[7286]
[7287]
[7288]
[7289]
[7290]
[7291]
[7292]
[7293]
[7294]
[7295]
[7296]
[7297]
[7298]
[7299]
[7300]
[7301]
[7302]
[7303]
[7304]
[7305]
[7306]
[7307]
[7308]
[7309]
[7310]
[7311]
[7312]
[7313]
[7314]
[7315]
[7316]
[7317]
[7318]
[7319]
[7320]
[7321]
[7322]
[7323]
[7324]
[7325]
[7326]
[7327]
[7328]
[7329]
[7330]
[7331]
[7332]
[7333]
[7334]
[7335]
[7336]
[7337]
[7338]
[7339]
[7340]
[7341]
[7342]
[7343]
[7344]
[7345]
[7346]
[7347]
[7348]
[7349]
[7350]
[7351]
[7352]
[7353]
[7354]
[7355]
[7356]
[7357]
[7358]
[7359]
[7360]
[7361]
[7362]
[7363]
[7364]
[7365]
[7366]
[7367]
[7368]
[7369]
[7370]
[7371]
[7372]
[7373]
[7374]
[7375]
[7376]
[7377]
[7378]
[7379]
[7380]
[7381]
[7382]
[7383]
[7384]
[7385]
[7386]
[7387]
[7388]
[7389]
[7390]
[7391]
[7392]
[7393]
[7394]
[7395]
[7396]
[7397]
[7398]
[7399]
[7400]
[7401]
[7402]
[7403]
[7404]
[7405]
[7406]
[7407]
[7408]
[7409]
[7410]
[7411]
[7412]
[7413]
[7414]
[7415]
[7416]
[7417]
[7418]
[7419]
[7420]
[7421]
[7422]
[7423]
[7424]
[7425]
[7426]
[7427]
[7428]
[7429]
[7430]
[7431]
[7432]
[7433]
[7434]
[7435]
[7436]
[7437]
[7438]
[7439]
[7440]
[7441]
[7442]
[7443]
[7444]
[7445]
[7446]
[7447]
[7448]
[7449]
[7450]
[7451]
[7452]
[7453]
[7454]
[7455]
[7456]
[7457]
[7458]
[7459]
[7460]
[7461]
[7462]
[7463]
[7464]
[7465]
[7466]
[7467]
[7468]
[7469]
[7470]
[7471]
[7472]
[7473]
[7474]
[7475]
[7476]
[7477]
[7478]
[7479]
[7480]
[7481]
[7482]
[7483]
[7484]
[7485]
[7486]
[7487]
[7488]
[7489]
[7490]
[7491]
[7492]
[7493]
[7494]
[7495]
[7496]
[7497]
[7498]
[7499]
[7500]
[7501]
[7502]
[7503]
[7504]
[7505]
[7506]
[7507]
[7508]
[7509]
[7510]
[7511]
[7512]
[7513]
[7514]
[7515]
[7516]
[7517]
[7518]
[7519]
[7520]
[7521]
[7522]
[7523]
[7524]
[7525]
[7526]
[7527]
[7528]
[7529]
[7530]
[7531]
[7532]
[7533]
[7534]
[7535]
[7536]
[7537]
[7538]
[7539]
[7540]
[7541]
[7542]
[7543]
[7544]
[7545]
[7546]
[7547]
[7548]
[7549]
[7550]
[7551]
[7552]
[7553]
[7554]
[7555]
[7556]
[7557]
[7558]
[7559]
[7560]
[7561]
[7562]
[7563]
[7564]
[7565]
[7566]
[7567]
[7568]
[7569]
[7570]
[7571]
[7572]
[7573]
[7574]
[7575]
[7576]
[7577]
[7578]
[7579]
[7580]
[7581]
[7582]
[7583]
[7584]
[7585]
[7586]
[7587]
[7588]
[7589]
[7590]
[7591]
[7592]
[7593]
[7594]
[7595]
[7596]
[7597]
[7598]
[7599]
[7600]
[7601]
[7602]
[7603]
[7604]
[7605]
[7606]
[7607]
[7608]
[7609]
[7610]
[7611]
[7612]
[7613]
[7614]
[7615]
[7616]
[7617]
[7618]
[7619]
[7620]
[7621]
[7622]
[7623]
[7624]
[7625]
[7626]
[7627]
[7628]
[7629]
[7630]
[7631]
[7632]
[7633]
[7634]
[7635]
[7636]
[7637]
[7638]
[7639]
[7640]
[7641]
[7642]
[7643]
[7644]
[7645]
[7646]
[7647]
[7648]
[7649]
[7650]
[7651]
[7652]
[7653]
[7654]
[7655]
[7656]
[7657]
[7658]
[7659]
[7660]
[7661]
[7662]
[7663]
[7664]
[7665]
[7666]
[7667]
[7668]
[7669]
[7670]
[7671]
[7672]
[7673]
[7674]
[7675]
[7676]
[7677]
[7678]
[7679]
[7680]
[7681]
[7682]
[7683]
[7684]
[7685]
[7686]
[7687]
[7688]
[7689]
[7690]
[7691]
[7692]
[7693]
[7694]
[7695]
[7696]
[7697]
[7698]
[7699]
[7700]
[7701]
[7702]
[7703]
[7704]
[7705]
[7706]
[7707]
[7708]
[7709]
[7710]
[7711]
[7712]
[7713]
[7714]
[7715]
[7716]
[7717]
[7718]
[7719]
[7720]
[7721]
[7722]
[7723]
[7724]
[7725]
[7726]
[7727]
[7728]
[7729]
[7730]
[7731]
[7732]
[7733]
[7734]
[7735]
[7736]
[7737]
[7738]
[7739]
[7740]
[7741]
[7742]
[7743]
[7744]
[7745]
[7746]
[7747]
[7748]
[7749]
[7750]
[7751]
[7752]
[7753]
[7754]
[7755]
[7756]
[7757]
[7758]
[7759]
[7760]
[7761]
[7762]
[7763]
[7764]
[7765]
[7766]
[7767]
[7768]
[7769]
[7770]
[7771]
[7772]
[7773]
[7774]
[7775]
[7776]
[7777]
[7778]
[7779]
[7780]
[7781]
[7782]
[7783]
[7784]
[7785]
[7786]
[7787]
[7788]
[7789]
[7790]
[7791]
[7792]
[7793]
[7794]
[7795]
[7796]
[7797]
[7798]
[7799]
[7800]
[7801]
[7802]
[7803]
[7804]
[7805]
[7806]
[7807]
[7808]
[7809]
[7810]
[7811]
[7812]
[7813]
[7814]
[7815]
[7816]
[7817]
[7818]
[7819]
[7820]
[7821]
[7822]
[7823]
[7824]
[7825]
[7826]
[7827]
[7828]
[7829]
[7830]
[7831]
[7832]
[7833]
[7834]
[7835]
[7836]
[7837]
[7838]
[7839]
[7840]
[7841]
[7842]
[7843]
[7844]
[7845]
[7846]
[7847]
[7848]
[7849]
[7850]
[7851]
[7852]
[7853]
[7854]
[7855]
[7856]
[7857]
[7858]
[7859]
[7860]
[7861]
[7862]
[7863]
[7864]
[7865]
[7866]
[7867]
[7868]
[7869]
[7870]
[7871]
[7872]
[7873]
[7874]
[7875]
[7876]
[7877]
[7878]
[7879]
[7880]
[7881]
[7882]
[7883]
[7884]
[7885]
[7886]
[7887]
[7888]
[7889]
[7890]
[7891]
[7892]
[7893]
[7894]
[7895]
[7896]
[7897]
[7898]
[7899]
[7900]
[7901]
[7902]
[7903]
[7904]
[7905]
[7906]
[7907]
[7908]
[7909]
[7910]
[7911]
[7912]
[7913]
[7914]
[7915]
[7916]
[7917]
[7918]
[7919]
[7920]
[7921]
[7922]
[7923]
[7924]
[7925]
[7926]
[7927]
[7928]
[7929]
[7930]
[7931]
[7932]
[7933]
[7934]
[7935]
[7936]
[7937]
[7938]
[7939]
[7940]
[7941]
[7942]
[7943]
[7944]
[7945]
[7946]
[7947]
[7948]
[7949]
[7950]
[7951]
[7952]
[7953]
[7954]
[7955]
[7956]
[7957]
[7958]
[7959]
[7960]
[7961]
[7962]
[7963]
[7964]
[7965]
[7966]
[7967]
[7968]
[7969]
[7970]
[7971]
[7972]
[7973]
[7974]
[7975]
[7976]
[7977]
[7978]
[7979]
[7980]
[7981]
[7982]
[7983]
[7984]
[7985]
[7986]
[7987]
[7988]
[7989]
[7990]
[7991]
[7992]
[7993]
[7994]
[7995]
[7996]
[7997]
[7998]
[7999]
[8000]
[8001]
[8002]
[8003]
[8004]
[8005]
[8006]
[8007]
[8008]
[8009]
[8010]
[8011]
[8012]
[8013]
[8014]
[8015]
[8016]
[8017]
[8018]
[8019]
[8020]
[8021]
[8022]
[8023]
[8024]
[8025]
[8026]
[8027]
[8028]
[8029]
[8030]
[8031]
[8032]
[8033]
[8034]
[8035]
[8036]
[8037]
[8038]
[8039]
[8040]
[8041]
[8042]
[8043]
[8044]
[8045]
[8046]
[8047]
[8048]
[8049]
[8050]
[8051]
[8052]
[8053]
[8054]
[8055]
[8056]
[8057]
[8058]
[8059]
[8060]
[8061]
[8062]
[8063]
[8064]
[8065]
[8066]
[8067]
[8068]
[8069]
[8070]
[8071]
[8072]
[8073]
[8074]
[8075]
[8076]
[8077]
[8078]
[8079]
[8080]
[8081]
[8082]
[8083]
[8084]
[8085]
[8086]
[8087]
[8088]
[8089]
[8090]
[8091]
[8092]
[8093]
[8094]
[8095]
[8096]
[8097]
[8098]
[8099]
[8100]
[8101]
[8102]
[8103]
[8104]
[8105]
[8106]
[8107]
[8108]
[8109]
[8110]
[8111]
[8112]
[8113]
[8114]
[8115]
[8116]
[8117]
[8118]
[8119]
[8120]
[8121]
[8122]
[8123]
[8124]
[8125]
[8126]
[8127]
[8128]
[8129]
[8130]
[8131]
[8132]
[8133]
[8134]
[8135]
[8136]
[8137]
[8138]
[8139]
[8140]
[8141]
[8142]
[8143]
[8144]
[8145]
[8146]
[8147]
[8148]
[8149]
[8150]
[8151]
[8152]
[8153]
[8154]
[8155]
[8156]
[8157]
[8158]
[8159]
[8160]
[8161]
[8162]
[8163]
[8164]
[8165]
[8166]
[8167]
[8168]
[8169]
[8170]
[8171]
[8172]
[8173]
[8174]
[8175]
[8176]
[8177]
[8178]
[8179]
[8180]
[8181]
[8182]
[8183]
[8184]
[8185]
[8186]
[8187]
[8188]
[8189]
[8190]
[8191]
[8192]
[8193]
[8194]
[8195]
[8196]
[8197]
[8198]
[8199]
[8200]
[8201]
[8202]
[8203]
[8204]
[8205]
[8206]
[8207]
[8208]
[8209]
[8210]
[8211]
[8212]
[8213]
[8214]
[8215]
[8216]
[8217]
[8218]
[8219]
[8220]
[8221]
[8222]
[8223]
[8224]
[8225]
[8226]
[8227]
[8228]
[8229]
[8230]
[8231]
[8232]
[8233]
[8234]
[8235]
[8236]
[8237]
[8238]
[8239]
[8240]
[8241]
[8242]
[8243]
[8244]
[8245]
[8246]
[8247]
[8248]
[8249]
[8250]
[8251]
[8252]
[8253]
[8254]
[8255]
[8256]
[8257]
[8258]
[8259]
[8260]
[8261]
[8262]
[8263]
[8264]
[8265]
[8266]
[8267]
[8268]
[8269]
[8270]
[8271]
[8272]
[8273]
[8274]
[8275]
[8276]
[8277]
[8278]
[8279]
[8280]
[8281]
[8282]
[8283]
[8284]
[8285]
[8286]
[8287]
[8288]
[8289]
[8290]
[8291]
[8292]
[8293]
[8294]
[8295]
[8296]
[8297]
[8298]
[8299]
[8300]
[8301]
[8302]
[8303]
[8304]
[8305]
[8306]
[8307]
[8308]
[8309]
[8310]
[8311]
[8312]
[8313]
[8314]
[8315]
[8316]
[8317]
[8318]
[8319]
[8320]
[8321]
[8322]
[8323]
[8324]
[8325]
[8326]
[8327]
[8328]
[8329]
[8330]
[8331]
[8332]
[8333]
[8334]
[8335]
[8336]
[8337]
[8338]
[8339]
[8340]
[8341]
[8342]
[8343]
[8344]
[8345]
[8346]
[8347]
[8348]
[8349]
[8350]
[8351]
[8352]
[8353]
[8354]
[8355]
[8356]
[8357]
[8358]
[8359]
[8360]
[8361]
[8362]
[8363]
[8364]
[8365]
[8366]
[8367]
[8368]
[8369]
[8370]
[8371]
[8372]
[8373]
[8374]
[8375]
[8376]
[8377]
[8378]
[8379]
[8380]
[8381]
[8382]
[8383]
[8384]
[8385]
[8386]
[8387]
[8388]
[8389]
[8390]
[8391]
[8392]
[8393]
[8394]
[8395]
[8396]
[8397]
[8398]
[8399]
[8400]
[8401]
[8402]
[8403]
[8404]
[8405]
[8406]
[8407]
[8408]
[8409]
[8410]
[8411]
[8412]
[8413]
[8414]
[8415]
[8416]
[8417]
[8418]
[8419]
[8420]
[8421]
[8422]
[8423]
[8424]
[8425]
[8426]
[8427]
[8428]
[8429]
[8430]
[8431]
[8432]
[8433]
[8434]
[8435]
[8436]
[8437]
[8438]
[8439]
[8440]
[8441]
[8442]
[8443]
[8444]
[8445]
[8446]
[8447]
[8448]
[8449]
[8450]
[8451]
[8452]
[8453]
[8454]
[8455]
[8456]
[8457]
[8458]
[8459]
[8460]
[8461]
[8462]
[8463]
[8464]
[8465]
[8466]
[8467]
[8468]
[8469]
[8470]
[8471]
[8472]
[8473]
[8474]
[8475]
[8476]
[8477]
[8478]
[8479]
[8480]
[8481]
[8482]
[8483]
[8484]
[8485]
[8486]
[8487]
[8488]
[8489]
[8490]
[8491]
[8492]
[8493]
[8494]
[8495]
[8496]
[8497]
[8498]
[8499]
[8500]
[8501]
[8502]
[8503]
[8504]
[8505]
[8506]
[8507]
[8508]
[8509]
[8510]
[8511]
[8512]
[8513]
[8514]
[8515]
[8516]
[8517]
[8518]
[8519]
[8520]
[8521]
[8522]
[8523]
[8524]
[8525]
[8526]
[8527]
[8528]
[8529]
[8530]
[8531]
[8532]
[8533]
[8534]
[8535]
[8536]
[8537]
[8538]
[8539]
[8540]
[8541]
[8542]
[8543]
[8544]
[8545]
[8546]
[8547]
[8548]
[8549]
[8550]
[8551]
[8552]
[8553]
[8554]
[8555]
[8556]
[8557]
[8558]
[8559]
[8560]
[8561]
[8562]
[8563]
[8564]
[8565]
[8566]
[8567]
[8568]
[8569]
[8570]
[8571]
[8572]
[8573]
[8574]
[8575]
[8576]
[8577]
[8578]
[8579]
[8580]
[8581]
[8582]
[8583]
[8584]
[8585]
[8586]
[8587]
[8588]
[8589]
[8590]
[8591]
[8592]
[8593]
[8594]
[8595]
[8596]
[8597]
[8598]
[8599]
[8600]
[8601]
[8602]
[8603]
[8604]
[8605]
[8606]
[8607]
[8608]
[8609]
[8610]
[8611]
[8612]
[8613]
[8614]
[8615]
[8616]
[8617]
[8618]
[8619]
[8620]
[8621]
[8622]
[8623]
[8624]
[8625]
[8626]
[8627]
[8628]
[8629]
[8630]
[8631]
[8632]
[8633]
[8634]
[8635]
[8636]
[8637]
[8638]
[8639]
[8640]
[8641]
[8642]
[8643]
[8644]
[8645]
[8646]
[8647]
[8648]
[8649]
[8650]
[8651]
[8652]
[8653]
[8654]
[8655]
[8656]
[8657]
[8658]
[8659]
[8660]
[8661]
[8662]
[8663]
[8664]
[8665]
[8666]
[8667]
[8668]
[8669]
[8670]
[8671]
[8672]
[8673]
[8674]
[8675]
[8676]
[8677]
[8678]
[8679]
[8680]
[8681]
[8682]
[8683]
[8684]
[8685]
[8686]
[8687]
[8688]
[8689]
[8690]
[8691]
[8692]
[8693]
[8694]
[8695]
[8696]
[8697]
[8698]
[8699]
[8700]
[8701]
[8702]
[8703]
[8704]
[8705]
[8706]
[8707]
[8708]
[8709]
[8710]
[8711]
[8712]
[8713]
[8714]
[8715]
[8716]
[8717]
[8718]
[8719]
[8720]
[8721]
[8722]
[8723]
[8724]
[8725]
[8726]
[8727]
[8728]
[8729]
[8730]
[8731]
[8732]
[8733]
[8734]
[8735]
[8736]
[8737]
[8738]
[8739]
[8740]
[8741]
[8742]
[8743]
[8744]
[8745]
[8746]
[8747]
[8748]
[8749]
[8750]
[8751]
[8752]
[8753]
[8754]
[8755]
[8756]
[8757]
[8758]
[8759]
[8760]
[8761]
[8762]
[8763]
[8764]
[8765]
[8766]
[8767]
[8768]
[8769]
[8770]
[8771]
[8772]
[8773]
[8774]
[8775]
[8776]
[8777]
[8778]
[8779]
[8780]
[8781]
[8782]
[8783]
[8784]
[8785]
[8786]
[8787]
[8788]
[8789]
[8790]
[8791]
[8792]
[8793]
[8794]
[8795]
[8796]
[8797]
[8798]
[8799]
[8800]
[8801]
[8802]
[8803]
[8804]
[8805]
[8806]
[8807]
[8808]
[8809]
[8810]
[8811]
[8812]
[8813]
[8814]
[8815]
[8816]
[8817]
[8818]
[8819]
[8820]
[8821]
[8822]
[8823]
[8824]
[8825]
[8826]
[8827]
[8828]
[8829]
[8830]
[8831]
[8832]
[8833]
[8834]
[8835]
[8836]
[8837]
[8838]
[8839]
[8840]
[8841]
[8842]
[8843]
[8844]
[8845]
[8846]
[8847]
[8848]
[8849]
[8850]
[8851]
[8852]
[8853]
[8854]
[8855]
[8856]
[8857]
[8858]
[8859]
[8860]
[8861]
[8862]
[8863]
[8864]
[8865]
[8866]
[8867]
[8868]
[8869]
[8870]
[8871]
[8872]
[8873]
[8874]
[8875]
[8876]
[8877]
[8878]
[8879]
[8880]
[8881]
[8882]
[8883]
[8884]
[8885]
[8886]
[8887]
[8888]
[8889]
[8890]
[8891]
[8892]
[8893]
[8894]
[8895]
[8896]
[8897]
[8898]
[8899]
[8900]
[8901]
[8902]
[8903]
[8904]
[8905]
[8906]
[8907]
[8908]
[8909]
[8910]
[8911]
[8912]
[8913]
[8914]
[8915]
[8916]
[8917]
[8918]
[8919]
[8920]
[8921]
[8922]
[8923]
[8924]
[8925]
[8926]
[8927]
[8928]
[8929]
[8930]
[8931]
[8932]
[8933]
[8934]
[8935]
[8936]
[8937]
[8938]
[8939]
[8940]
[8941]
[8942]
[8943]
[8944]
[8945]
[8946]
[8947]
[8948]
[8949]
[8950]
[8951]
[8952]
[8953]
[8954]
[8955]
[8956]
[8957]
[8958]
[8959]
[8960]
[8961]
[8962]
[8963]
[8964]
[8965]
[8966]
[8967]
[8968]
[8969]
[8970]
[8971]
[8972]
[8973]
[8974]
[8975]
[8976]
[8977]
[8978]
[8979]
[8980]
[8981]
[8982]
[8983]
[8984]
[8985]
[8986]
[8987]
[8988]
[8989]
[8990]
[8991]
[8992]
[8993]
[8994]
[8995]
[8996]
[8997]
[8998]
[8999]
[9000]
[9001]
[9002]
[9003]
[9004]
[9005]
[9006]
[9007]
[9008]
[9009]
[9010]
[9011]
[9012]
[9013]
[9014]
[9015]
[9016]
[9017]
[9018]
[9019]
[9020]
[9021]
[9022]
[9023]
[9024]
[9025]
[9026]
[9027]
[9028]
[9029]
[9030]
[9031]
[9032]
[9033]
[9034]
[9035]
[9036]
[9037]
[9038]
[9039]
[9040]
[9041]
[9042]
[9043]
[9044]
[9045]
[9046]
[9047]
[9048]
[9049]
[9050]
[9051]
[9052]
[9053]
[9054]
[9055]
[9056]
[9057]
[9058]
[9059]
[9060]
[9061]
[9062]
[9063]
[9064]
[9065]
[9066]
[9067]
[9068]
[9069]
[9070]
[9071]
[9072]
[9073]
[9074]
[9075]
[9076]
[9077]
[9078]
[9079]
[9080]
[9081]
[9082]
[9083]
[9084]
[9085]
[9086]
[9087]
[9088]
[9089]
[9090]
[9091]
[9092]
[9093]
[9094]
[9095]
[9096]
[9097]
[9098]
[9099]
[9100]
[9101]
[9102]
[9103]
[9104]
[9105]
[9106]
[9107]
[9108]
[9109]
[9110]
[9111]
[9112]
[9113]
[9114]
[9115]
[9116]
[9117]
[9118]
[9119]
[9120]
[9121]
[9122]
[9123]
[9124]
[9125]
[9126]
[9127]
[9128]
[9129]
[9130]
[9131]
[9132]
[9133]
[9134]
[9135]
[9136]
[9137]
[9138]
[9139]
[9140]
[9141]
[9142]
[9143]
[9144]
[9145]
[9146]
[9147]
[9148]
[9149]
[9150]
[9151]
[9152]
[9153]
[9154]
[9155]
[9156]
[9157]
[9158]
[9159]
[9160]
[9161]
[9162]
[9163]
[9164]
[9165]
[9166]
[9167]
[9168]
[9169]
[9170]
[9171]
[9172]
[9173]
[9174]
[9175]
[9176]
[9177]
[9178]
[9179]
[9180]
[9181]
[9182]
[9183]
[9184]
[9185]
[9186]
[9187]
[9188]
[9189]
[9190]
[9191]
[9192]
[9193]
[9194]
[9195]
[9196]
[9197]
[9198]
[9199]
[9200]
[9201]
[9202]
[9203]
[9204]
[9205]
[9206]
[9207]
[9208]
[9209]
[9210]
[9211]
[9212]
[9213]
[9214]
[9215]
[9216]
[9217]
[9218]
[9219]
[9220]
[9221]
[9222]
[9223]
[9224]
[9225]
[9226]
[9227]
[9228]
[9229]
[9230]
[9231]
[9232]
[9233]
[9234]
[9235]
[9236]
[9237]
[9238]
[9239]
[9240]
[9241]
[9242]
[9243]
[9244]
[9245]
[9246]
[9247]
[9248]
[9249]
[9250]
[9251]
[9252]
[9253]
[9254]
[9255]
[9256]
[9257]
[9258]
[9259]
[9260]
[9261]
[9262]
[9263]
[9264]
[9265]
[9266]
[9267]
[9268]
[9269]
[9270]
[9271]
[9272]
[9273]
[9274]
[9275]
[9276]
[9277]
[9278]
[9279]
[9280]
[9281]
[9282]
[9283]
[9284]
[9285]
[9286]
[9287]
[9288]
[9289]
[9290]
[9291]
[9292]
[9293]
[9294]
[9295]
[9296]
[9297]
[9298]
[9299]
[9300]
[9301]
[9302]
[9303]
[9304]
[9305]
[9306]
[9307]
[9308]
[9309]
[9310]
[9311]
[9312]
[9313]
[9314]
[9315]
[9316]
[9317]
[9318]
[9319]
[9320]
[9321]
[9322]
[9323]
[9324]
[9325]
[9326]
[9327]
[9328]
[9329]
[9330]
[9331]
[9332]
[9333]
[9334]
[9335]
[9336]
[9337]
[9338]
[9339]
[9340]
[9341]
[9342]
[9343]
[9344]
[9345]
[9346]
[9347]
[9348]
[9349]
[9350]
[9351]
[9352]
[9353]
[9354]
[9355]
[9356]
[9357]
[9358]
[9359]
[9360]
[9361]
[9362]
[9363]
[9364]
[9365]
[9366]
[9367]
[9368]
[9369]
[9370]
[9371]
[9372]
[9373]
[9374]
[9375]
[9376]
[9377]
[9378]
[9379]
[9380]
[9381]
[9382]
[9383]
[9384]
[9385]
[9386]
[9387]
[9388]
[9389]
[9390]
[9391]
[9392]
[9393]
[9394]
[9395]
[9396]
[9397]
[9398]
[9399]
[9400]
[9401]
[9402]
[9403]
[9404]
[9405]
[9406]
[9407]
[9408]
[9409]
[9410]
[9411]
[9412]
[9413]
[9414]
[9415]
[9416]
[9417]
[9418]
[9419]
[9420]
[9421]
[9422]
[9423]
[9424]
[9425]
[9426]
[9427]
[9428]
[9429]
[9430]
[9431]
[9432]
[9433]
[9434]
[9435]
[9436]
[9437]
[9438]
[9439]
[9440]
[9441]
[9442]
[9443]
[9444]
[9445]
[9446]
[9447]
[9448]
[9449]
[9450]
[9451]
[9452]
[9453]
[9454]
[9455]
[9456]
[9457]
[9458]
[9459]
[9460]
[9461]
[9462]
[9463]
[9464]
[9465]
[9466]
[9467]
[9468]
[9469]
[9470]
[9471]
[9472]
[9473]
[9474]
[9475]
[9476]
[9477]
[9478]
[9479]
[9480]
[9481]
[9482]
[9483]
[9484]
[9485]
[9486]
[9487]
[9488]
[9489]
[9490]
[9491]
[9492]
[9493]
[9494]
[9495]
[9496]
[9497]
[9498]
[9499]
[9500]
[9501]
[9502]
[9503]
[9504]
[9505]
[9506]
[9507]
[9508]
[9509]
[9510]
[9511]
[9512]
[9513]
[9514]
[9515]
[9516]
[9517]
[9518]
[9519]
[9520]
[9521]
[9522]
[9523]
[9524]
[9525]
[9526]
[9527]
[9528]
[9529]
[9530]
[9531]
[9532]
[9533]
[9534]
[9535]
[9536]
[9537]
[9538]
[9539]
[9540]
[9541]
[9542]
[9543]
[9544]
[9545]
[9546]
[9547]
[9548]
[9549]
[9550]
[9551]
[9552]
[9553]
[9554]
[9555]
[9556]
[9557]
[9558]
[9559]
[9560]
[9561]
[9562]
[9563]
[9564]
[9565]
[9566]
[9567]
[9568]
[9569]
[9570]
[9571]
[9572]
[9573]
[9574]
[9575]
[9576]
[9577]
[9578]
[9579]
[9580]
[9581]
[9582]
[9583]
[9584]
[9585]
[9586]
[9587]
[9588]
[9589]
[9590]
[9591]
[9592]
[9593]
[9594]
[9595]
[9596]
[9597]
[9598]
[9599]
[9600]
[9601]
[9602]
[9603]
[9604]
[9605]
[9606]
[9607]
[9608]
[9609]
[9610]
[9611]
[9612]
[9613]
[9614]
[9615]
[9616]
[9617]
[9618]
[9619]
[9620]
[9621]
[9622]
[9623]
[9624]
[9625]
[9626]
[9627]
[9628]
[9629]
[9630]
[9631]
[9632]
[9633]
[9634]
[9635]
[9636]
[9637]
[9638]
[9639]
[9640]
[9641]
[9642]
[9643]
[9644]
[9645]
[9646]
[9647]
[9648]
[9649]
[9650]
[9651]
[9652]
[9653]
[9654]
[9655]
[9656]
[9657]
[9658]
[9659]
[9660]
[9661]
[9662]
[9663]
[9664]
[9665]
[9666]
[9667]
[9668]
[9669]
[9670]
[9671]
[9672]
[9673]
[9674]
[9675]
[9676]
[9677]
[9678]
[9679]
[9680]
[9681]
[9682]
[9683]
[9684]
[9685]
[9686]
[9687]
[9688]
[9689]
[9690]
[9691]
[9692]
[9693]
[9694]
[9695]
[9696]
[9697]
[9698]
[9699]
[9700]
[9701]
[9702]
[9703]
[9704]
[9705]
[9706]
[9707]
[9708]
[9709]
[9710]
[9711]
[9712]
[9713]
[9714]
[9715]
[9716]
[9717]
[9718]
[9719]
[9720]
[9721]
[9722]
[9723]
[9724]
[9725]
[9726]
[9727]
[9728]
[9729]
[9730]
[9731]
[9732]
[9733]
[9734]
[9735]
[9736]
[9737]
[9738]
[9739]
[9740]
[9741]
[9742]
[9743]
[9744]
[9745]
[9746]
[9747]
[9748]
[9749]
[9750]
[9751]
[9752]
[9753]
[9754]
[9755]
[9756]
[9757]
[9758]
[9759]
[9760]
[9761]
[9762]
[9763]
[9764]
[9765]
[9766]
[9767]
[9768]
[9769]
[9770]
[9771]
[9772]
[9773]
[9774]
[9775]
[9776]
[9777]
[9778]
[9779]
[9780]
[9781]
[9782]
[9783]
[9784]
[9785]
[9786]
[9787]
[9788]
[9789]
[9790]
[9791]
[9792]
[9793]
[9794]
[9795]
[9796]
[9797]
[9798]
[9799]
[9800]
[9801]
[9802]
[9803]
[9804]
[9805]
[9806]
[9807]
[9808]
[9809]
[9810]
[9811]
[9812]
[9813]
[9814]
[9815]
[9816]
[9817]
[9818]
[9819]
[9820]
[9821]
[9822]
[9823]
[9824]
[9825]
[9826]
[9827]
[9828]
[9829]
[9830]
[9831]
[9832]
[9833]
[9834]
[9835]
[9836]
[9837]
[9838]
[9839]
[9840]
[9841]
[9842]
[9843]
[9844]
[9845]
[9846]
[9847]
[9848]
[9849]
[9850]
[9851]
[9852]
[9853]
[9854]
[9855]
[9856]
[9857]
[9858]
[9859]
[9860]
[9861]
[9862]
[9863]
[9864]
[9865]
[9866]
[9867]
[9868]
[9869]
[9870]
[9871]
[9872]
[9873]
[9874]
[9875]
[9876]
[9877]
[9878]
[9879]
[9880]
[9881]
[9882]
[9883]
[9884]
[9885]
[9886]
[9887]
[9888]
[9889]
[9890]
[9891]
[9892]
[9893]
[9894]
[9895]
[9896]
[9897]
[9898]
[9899]
[9900]
[9901]
[9902]
[9903]
[9904]
[9905]
[9906]
[9907]
[9908]
[9909]
[9910]
[9911]
[9912]
[9913]
[9914]
[9915]
[9916]
[9917]
[9918]
[9919]
[9920]
[9921]
[9922]
[9923]
[9924]
[9925]
[9926]
[9927]
[9928]
[9929]
[9930]
[9931]
[9932]
[9933]
[9934]
[9935]
[9936]
[9937]
[9938]
[9939]
[9940]
[9941]
[9942]
[9943]
[9944]
[9945]
[9946]
[9947]
[9948]
[9949]
[9950]
[9951]
[9952]
[9953]
[9954]
[9955]
[9956]
[9957]
[9958]
[9959]
[9960]
[9961]
[9962]
[9963]
[9964]
[9965]
[9966]
[9967]
[9968]
[9969]
[9970]
[9971]
[9972]
[9973]
[9974]
[9975]
[9976]
[9977]
[9978]
[9979]
[9980]
[9981]
[9982]
[9983]
[9984]
[9985]
[9986]
[9987]
[9988]
[9989]
[9990]
[9991]
[9992]
[9993]
[9994]
[9995]
[9996]
[9997]
[9998]
[9999]
[10000]
[10001]
[10002]
[10003]
[10004]
[10005]
[10006]
[10007]
[10008]
[10009]
[10010]
[10011]
[10012]
[10013]
[10014]
[10015]
[10016]
[10017]
[10018]
[10019]
[10020]
[10021]
[10022]
[10023]
[10024]
[10025]
[10026]
[10027]
[10028]
[10029]
[10030]
[10031]
[10032]
[10033]
[10034]
[10035]
[10036]
[10037]
[10038]
[10039]
[10040]
[10041]
[10042]
[10043]
[10044]
[10045]
[10046]
[10047]
[10048]
[10049]
[10050]
[10051]
[10052]
[10053]
[10054]
[10055]
[10056]
[10057]
[10058]
[10059]
[10060]
[10061]
[10062]
[10063]
[10064]
[10065]
[10066]
[10067]
[10068]
[10069]
[10070]
[10071]
[10072]
[10073]
[10074]
[10075]
[10076]
[10077]
[10078]
[10079]
[10080]
[10081]
[10082]
[10083]
[10084]
[10085]
[10086]
[10087]
[10088]
[10089]
[10090]
[10091]
[10092]
[10093]
[10094]
[10095]
[10096]
[10097]
[10098]
[10099]
[10100]
[10101]
[10102]
[10103]
[10104]
[10105]
[10106]
[10107]
[10108]
[10109]
[10110]
[10111]
[10112]
[10113]
[10114]
[10115]
[10116]
[10117]
[10118]
[10119]
[10120]
[10121]
[10122]
[10123]
[10124]
[10125]
[10126]
[10127]
[10128]
[10129]
[10130]
[10131]
[10132]
[10133]
[10134]
[10135]
[10136]
[10137]
[10138]
[10139]
[10140]
[10141]
[10142]
[10143]
[10144]
[10145]
[10146]
[10147]
[10148]
[10149]
[10150]
[10151]
[10152]
[10153]
[10154]
[10155]
[10156]
[10157]
[10158]
[10159]
[10160]
[10161]
[10162]
[10163]
[10164]
[10165]
[10166]
[10167]
[10168]
[10169]
[10170]
[10171]
[10172]
[10173]
[10174]
[10175]
[10176]
[10177]
[10178]
[10179]
[10180]
[10181]
[10182]
[10183]
[10184]
[10185]
[10186]
[10187]
[10188]
[10189]
[10190]
[10191]
[10192]
[10193]
[10194]
[10195]
[10196]
[10197]
[10198]
[10199]
[10200]
[10201]
[10202]
[10203]
[10204]
[10205]
[10206]
[10207]
[10208]
[10209]
[10210]
[10211]
[10212]
[10213]
[10214]
[10215]
[10216]
[10217]
[10218]
[10219]
[10220]
[10221]
[10222]
[10223]
[10224]
[10225]
[10226]
[10227]
[10228]
[10229]
[10230]
[10231]
[10232]
[10233]
[10234]
[10235]
[10236]
[10237]
[10238]
[10239]
[10240]
[10241]
[10242]
[10243]
[10244]
[10245]
[10246]
[10247]
[10248]
[10249]
[10250]
[10251]
[10252]
[10253]
[10254]
[10255]
[10256]
[10257]
[10258]
[10259]
[10260]
[10261]
[10262]
[10263]
[10264]
[10265]
[10266]
[10267]
[10268]
[10269]
[10270]
[10271]
[10272]
[10273]
[10274]
[10275]
[10276]
[10277]
[10278]
[10279]
[10280]
[10281]
[10282]
[10283]
[10284]
[10285]
[10286]
[10287]
[10288]
[10289]
[10290]
[10291]
[10292]
[10293]
[10294]
[10295]
[10296]
[10297]
[10298]
[10299]
[10300]
[10301]
[10302]
[10303]
[10304]
[10305]
[10306]
[10307]
[10308]
[10309]
[10310]
[10311]
[10312]
[10313]
[10314]
[10315]
[10316]
[10317]
[10318]
[10319]
[10320]
[10321]
[10322]
[10323]
[10324]
[10325]
[10326]
[10327]
[10328]
[10329]
[10330]
[10331]
[10332]
[10333]
[10334]
[10335]
[10336]
[10337]
[10338]
[10339]
[10340]
[10341]
[10342]
[10343]
[10344]
[10345]
[10346]
[10347]
[10348]
[10349]
[10350]
[10351]
[10352]
[10353]
[10354]
[10355]
[10356]
[10357]
[10358]
[10359]
[10360]
[10361]
[10362]
[10363]
[10364]
[10365]
[10366]
[10367]
[10368]
[10369]
[10370]
[10371]
[10372]
[10373]
[10374]
[10375]
[10376]
[10377]
[10378]
[10379]
[10380]
[10381]
[10382]
[10383]
[10384]
[10385]
[10386]
[10387]
[10388]
[10389]
[10390]
[10391]
[10392]
[10393]
[10394]
[10395]
[10396]
[10397]
[10398]
[10399]
[10400]
[10401]
[10402]
[10403]
[10404]
[10405]
[10406]
[10407]
[10408]
[10409]
[10410]
[10411]
[10412]
[10413]
[10414]
[10415]
[10416]
[10417]
[10418]
[10419]
[10420]
[10421]
[10422]
[10423]
[10424]
[10425]
[10426]
[10427]
[10428]
[10429]
[10430]
[10431]
[10432]
[10433]
[10434]
[10435]
[10436]
[10437]
[10438]
[10439]
[10440]
[10441]
[10442]
[10443]
[10444]
[10445]
[10446]
[10447]
[10448]
[10449]
[10450]
[10451]
[10452]
[10453]
[10454]
[10455]
[10456]
[10457]
[10458]
[10459]
[10460]
[10461]
[10462]
[10463]
[10464]
[10465]
[10466]
[10467]
[10468]
[10469]
[10470]
[10471]
[10472]
[10473]
[10474]
[10475]
[10476]
[10477]
[10478]
[10479]
[10480]
[10481]
[10482]
[10483]
[10484]
[10485]
[10486]
[10487]
[10488]
[10489]
[10490]
[10491]
[10492]
[10493]
[10494]
[10495]
[10496]
[10497]
[10498]
[10499]
[10500]
[10501]
[10502]
[10503]
[10504]
[10505]
[10506]
[10507]
[10508]
[10509]
[10510]
[10511]
[10512]
[10513]
[10514]
[10515]
[10516]
[10517]
[10518]
[10519]
[10520]
[10521]
[10522]
[10523]
[10524]
[10525]
[10526]
[10527]
[10528]
[10529]
[10530]
[10531]
[10532]
[10533]
[10534]
[10535]
[10536]
[10537]
[10538]
[10539]
[10540]
[10541]
[10542]
[10543]
[10544]
[10545]
[10546]
[10547]
[10548]
[10549]
[10550]
[10551]
[10552]
[10553]
[10554]
[10555]
[10556]
[10557]
[10558]
[10559]
[10560]
[10561]
[10562]
[10563]
[10564]
[10565]
[10566]
[10567]
[10568]
[10569]
[10570]
[10571]
[10572]
[10573]
[10574]
[10575]
[10576]
[10577]
[10578]
[10579]
[10580]
[10581]
[10582]
[10583]
[10584]
[10585]
[10586]
[10587]
[10588]
[10589]
[10590]
[10591]
[10592]
[10593]
[10594]
[10595]
[10596]
[10597]
[10598]
[10599]
[10600]
[10601]
[10602]
[10603]
[10604]
[10605]
[10606]
[10607]
[10608]
[10609]
[10610]
[10611]
[10612]
[10613]
[10614]
[10615]
[10616]
[10617]
[10618]
[10619]
[10620]
[10621]
[10622]
[10623]
[10624]
[10625]
[10626]
[10627]
[10628]
[10629]
[10630]
[10631]
[10632]
[10633]
[10634]
[10635]
[10636]
[10637]
[10638]
[10639]
[10640]
[10641]
[10642]
[10643]
[10644]
[10645]
[10646]
[10647]
[10648]
[10649]
[10650]
[10651]
[10652]
[10653]
[10654]
[10655]
[10656]
[10657]
[10658]
[10659]
[10660]
[10661]
[10662]
[10663]
[10664]
[10665]
[10666]
[10667]
[10668]
[10669]
[10670]
[10671]
[10672]
[10673]
[10674]
[10675]
[10676]
[10677]
[10678]
[10679]
[10680]
[10681]
[10682]
[10683]
[10684]
[10685]
[10686]
[10687]
[10688]
[10689]
[10690]
[10691]
[10692]
[10693]
[10694]
[10695]
[10696]
[10697]
[10698]
[10699]
[10700]
[10701]
[10702]
[10703]
[10704]
[10705]
[10706]
[10707]
[10708]
[10709]
[10710]
[10711]
[10712]
[10713]
[10714]
[10715]
[10716]
[10717]
[10718]
[10719]
[10720]
[10721]
[10722]
[10723]
[10724]
[10725]
[10726]
[10727]
[10728]
[10729]
[10730]
[10731]
[10732]
[10733]
[10734]
[10735]
[10736]
[10737]
[10738]
[10739]
[10740]
[10741]
[10742]
[10743]
[10744]
[10745]
[10746]
[10747]
[10748]
[10749]
[10750]
[10751]
[10752]
[10753]
[10754]
[10755]
[10756]
[10757]
[10758]
[10759]
[10760]
[10761]
[10762]
[10763]
[10764]
[10765]
[10766]
[10767]
[10768]
[10769]
[10770]
[10771]
[10772]
[10773]
[10774]
[10775]
[10776]
[10777]
[10778]
[10779]
[10780]
[10781]
[10782]
[10783]
[10784]
[10785]
[10786]
[10787]
[10788]
[10789]
[10790]
[10791]
[10792]
[10793]
[10794]
[10795]
[10796]
[10797]
[10798]
[10799]
[10800]
[10801]
[10802]
[10803]
[10804]
[10805]
[10806]
[10807]
[10808]
[10809]
[10810]
[10811]
[10812]
[10813]
[10814]
[10815]
[10816]
[10817]
[10818]
[10819]
[10820]
[10821]
[10822]
[10823]
[10824]
[10825]
[10826]
[10827]
[10828]
[10829]
[10830]
[10831]
[10832]
[10833]
[10834]
[10835]
[10836]
[10837]
[10838]
[10839]
[10840]
[10841]
[10842]
[10843]
[10844]
[10845]
[10846]
[10847]
[10848]
[10849]
[10850]
[10851]
[10852]
[10853]
[10854]
[10855]
[10856]
[10857]
[10858]
[10859]
[10860]
[10861]
[10862]
[10863]
[10864]
[10865]
[10866]
[10867]
[10868]
[10869]
[10870]
[10871]
[10872]
[10873]
[10874]
[10875]
[10876]
[10877]
[10878]
[10879]
[10880]
[10881]
[10882]
[10883]
[10884]
[10885]
[10886]
[10887]
[10888]
[10889]
[10890]
[10891]
[10892]
[10893]
[10894]
[10895]
[10896]
[10897]
[10898]
[10899]
[10900]
[10901]
[10902]
[10903]
[10904]
[10905]
[10906]
[10907]
[10908]
[10909]
[10910]
[10911]
[10912]
[10913]
[10914]
[10915]
[10916]
[10917]
[10918]
[10919]
[10920]
[10921]
[10922]
[10923]
[10924]
[10925]
[10926]
[10927]
[10928]
[10929]
[10930]
[10931]
[10932]
[10933]
[10934]
[10935]
[10936]
[10937]
[10938]
[10939]
[10940]
[10941]
[10942]
[10943]
[10944]
[10945]
[10946]
[10947]
[10948]
[10949]
[10950]
[10951]
[10952]
[10953]
[10954]
[10955]
[10956]
[10957]
[10958]
[10959]
[10960]
[10961]
[10962]
[10963]
[10964]
[10965]
[10966]
[10967]
[10968]
[10969]
[10970]
[10971]
[10972]
[10973]
[10974]
[10975]
[10976]
[10977]
[10978]
[10979]
[10980]
[10981]
[10982]
[10983]
[10984]
[10985]
[10986]
[10987]
[10988]
[10989]
[10990]
[10991]
[10992]
[10993]
[10994]
[10995]
[10996]
[10997]
[10998]
[10999]
[11000]
[11001]
[11002]
[11003]
[11004]
[11005]
[11006]
[11007]
[11008]
[11009]
[11010]
[11011]
[11012]
[11013]
[11014]
[11015]
[11016]
[11017]
[11018]
[11019]
[11020]
[11021]
[11022]
[11023]
[11024]
[11025]
[11026]
[11027]
[11028]
[11029]
[11030]
[11031]
[11032]
[11033]
[11034]
[11035]
[11036]
[11037]
[11038]
[11039]
[11040]
[11041]
[11042]
[11043]
[11044]
[11045]
[11046]
[11047]
[11048]
[11049]
[11050]
[11051]
[11052]
[11053]
[11054]
[11055]
[11056]
[11057]
[11058]
[11059]
[11060]
[11061]
[11062]
[11063]
[11064]
[11065]
[11066]
[11067]
[11068]
[11069]
[11070]
[11071]
[11072]
[11073]
[11074]
[11075]
[11076]
[11077]
[11078]
[11079]
[11080]
[11081]
[11082]
[11083]
[11084]
[11085]
[11086]
[11087]
[11088]
[11089]
[11090]
[11091]
[11092]
[11093]
[11094]
[11095]
[11096]
[11097]
[11098]
[11099]
[11100]
[11101]
[11102]
[11103]
[11104]
[11105]
[11106]
[11107]
[11108]
[11109]
[11110]
[11111]
[11112]
[11113]
[11114]
[11115]
[11116]
[11117]
[11118]
[11119]
[11120]
[11121]
[11122]
[11123]
[11124]
[11125]
[11126]
[11127]
[11128]
[11129]
[11130]
[11131]
[11132]
[11133]
[11134]
[11135]
[11136]
[11137]
[11138]
[11139]
[11140]
[11141]
[11142]
[11143]
[11144]
[11145]
[11146]
[11147]
[11148]
[11149]
[11150]
[11151]
[11152]
[11153]
[11154]
[11155]
[11156]
[11157]
[11158]
[11159]
[11160]
[11161]
[11162]
[11163]
[11164]
[11165]
[11166]
[11167]
[11168]
[11169]
[11170]
[11171]
[11172]
[11173]
[11174]
[11175]
[11176]
[11177]
[11178]
[11179]
[11180]
[11181]
[11182]
[11183]
[11184]
[11185]
[11186]
[11187]
[11188]
[11189]
[11190]
[11191]
[11192]
[11193]
[11194]
[11195]
[11196]
[11197]
[11198]
[11199]
[11200]
[11201]
[11202]
[11203]
[11204]
[11205]
[11206]
[11207]
[11208]
[11209]
[11210]
[11211]
[11212]
[11213]
[11214]
[11215]
[11216]
[11217]
[11218]
[11219]
[11220]
[11221]
[11222]
[11223]
[11224]
[11225]
[11226]
[11227]
[11228]
[11229]
[11230]
[11231]
[11232]
[11233]
[11234]
[11235]
[11236]
[11237]
[11238]
[11239]
[11240]
[11241]
[11242]
[11243]
[11244]
[11245]
[11246]
[11247]
[11248]
[11249]
[11250]
[11251]
[11252]
[11253]
[11254]
[11255]
[11256]
[11257]
[11258]
[11259]
[11260]
[11261]
[11262]
[11263]
[11264]
[11265]
[11266]
[11267]
[11268]
[11269]
[11270]
[11271]
[11272]
[11273]
[11274]
[11275]
[11276]
[11277]
[11278]
[11279]
[11280]
[11281]
[11282]
[11283]
[11284]
[11285]
[11286]
[11287]
[11288]
[11289]
[11290]
[11291]
[11292]
[11293]
[11294]
[11295]
[11296]
[11297]
[11298]
[11299]
[11300]
[11301]
[11302]
[11303]
[11304]
[11305]
[11306]
[11307]
[11308]
[11309]
[11310]
[11311]
[11312]
[11313]
[11314]
[11315]
[11316]
[11317]
[11318]
[11319]
[11320]
[11321]
[11322]
[11323]
[11324]
[11325]
[11326]
[11327]
[11328]
[11329]
[11330]
[11331]
[11332]
[11333]
[11334]
[11335]
[11336]
[11337]
[11338]
[11339]
[11340]
[11341]
[11342]
[11343]
[11344]
[11345]
[11346]
[11347]
[11348]
[11349]
[11350]
[11351]
[11352]
[11353]
[11354]
[11355]
[11356]
[11357]
[11358]
[11359]
[11360]
[11361]
[11362]
[11363]
[11364]
[11365]
[11366]
[11367]
[11368]
[11369]
[11370]
[11371]
[11372]
[11373]
[11374]
[11375]
[11376]
[11377]
[11378]
[11379]
[11380]
[11381]
[11382]
[11383]
[11384]
[11385]
[11386]
[11387]
[11388]
[11389]
[11390]
[11391]
[11392]
[11393]
[11394]
[11395]
[11396]
[11397]
[11398]
[11399]
[11400]
[11401]
[11402]
[11403]
[11404]
[11405]
[11406]
[11407]
[11408]
[11409]
[11410]
[11411]
[11412]
[11413]
[11414]
[11415]
[11416]
[11417]
[11418]
[11419]
[11420]
[11421]
[11422]
[11423]
[11424]
[11425]
[11426]
[11427]
[11428]
[11429]
[11430]
[11431]
[11432]
[11433]
[11434]
[11435]
[11436]
[11437]
[11438]
[11439]
[11440]
[11441]
[11442]
[11443]
[11444]
[11445]
[11446]
[11447]
[11448]
[11449]
[11450]
[11451]
[11452]
[11453]
[11454]
[11455]
[11456]
[11457]
[11458]
[11459]
[11460]
[11461]
[11462]
[11463]
[11464]
[11465]
[11466]
[11467]
[11468]
[11469]
[11470]
[11471]
[11472]
[11473]
[11474]
[11475]
[11476]
[11477]
[11478]
[11479]
[11480]
[11481]
[11482]
[11483]
[11484]
[11485]
[11486]
[11487]
[11488]
[11489]
[11490]
[11491]
[11492]
[11493]
[11494]
[11495]
[11496]
[11497]
[11498]
[11499]
[11500]
[11501]
[11502]
[11503]
[11504]
[11505]
[11506]
[11507]
[11508]
[11509]
[11510]
[11511]
[11512]
[11513]
[11514]
[11515]
[11516]
[11517]
[11518]
[11519]
[11520]
[11521]
[11522]
[11523]
[11524]
[11525]
[11526]
[11527]
[11528]
[11529]
[11530]
[11531]
[11532]
[11533]
[11534]
[11535]
[11536]
[11537]
[11538]
[11539]
[11540]
[11541]
[11542]
[11543]
[11544]
[11545]
[11546]
[11547]
[11548]
[11549]
[11550]
[11551]
[11552]
[11553]
[11554]
[11555]
[11556]
[11557]
[11558]
[11559]
[11560]
[11561]
[11562]
[11563]
[11564]
[11565]
[11566]
[11567]
[11568]
[11569]
[11570]
[11571]
[11572]
[11573]
[11574]
[11575]
[11576]
[11577]
[11578]
[11579]
[11580]
[11581]
[11582]
[11583]
[11584]
[11585]
[11586]
[11587]
[11588]
[11589]
[11590]
[11591]
[11592]
[11593]
[11594]
[11595]
[11596]
[11597]
[11598]
[11599]
[11600]
[11601]
[11602]
[11603]
[11604]
[11605]
[11606]
[11607]
[11608]
[11609]
[11610]
[11611]
[11612]
[11613]
[11614]
[11615]
[11616]
[11617]
[11618]
[11619]
[11620]
[11621]
[11622]
[11623]
[11624]
[11625]
[11626]
[11627]
[11628]
[11629]
[11630]
[11631]
[11632]
[11633]
[11634]
[11635]
[11636]
[11637]
[11638]
[11639]
[11640]
[11641]
[11642]
[11643]
[11644]
[11645]
[11646]
[11647]
[11648]
[11649]
[11650]
[11651]
[11652]
[11653]
[11654]
[11655]
[11656]
[11657]
[11658]
[11659]
[11660]
[11661]
[11662]
[11663]
[11664]
[11665]
[11666]
[11667]
[11668]
[11669]
[11670]
[11671]
[11672]
[11673]
[11674]
[11675]
[11676]
[11677]
[11678]
[11679]
[11680]
[11681]
[11682]
[11683]
[11684]
[11685]
[11686]
[11687]
[11688]
[11689]
[11690]
[11691]
[11692]
[11693]
[11694]
[11695]
[11696]
[11697]
[11698]
[11699]
[11700]
[11701]
[11702]
[11703]
[11704]
[11705]
[11706]
[11707]
[11708]
[11709]
[11710]
[11711]
[11712]
[11713]
[11714]
[11715]
[11716]
[11717]
[11718]
[11719]
[11720]
[11721]
[11722]
[11723]
[11724]
[11725]
[11726]
[11727]
[11728]
[11729]
[11730]
[11731]
[11732]
[11733]
[11734]
[11735]
[11736]
[11737]
[11738]
[11739]
[11740]
[11741]
[11742]
[11743]
[11744]
[11745]
[11746]
[11747]
[11748]
[11749]
[11750]
[11751]
[11752]
[11753]
[11754]
[11755]
[11756]
[11757]
[11758]
[11759]
[11760]
[11761]
[11762]
[11763]
[11764]
[11765]
[11766]
[11767]
[11768]
[11769]
[11770]
[11771]
[11772]
[11773]
[11774]
[11775]
[11776]
[11777]
[11778]
[11779]
[11780]
[11781]
[11782]
[11783]
[11784]
[11785]
[11786]
[11787]
[11788]
[11789]
[11790]
[11791]
[11792]
[11793]
[11794]
[11795]
[11796]
[11797]
[11798]
[11799]
[11800]
[11801]
[11802]
[11803]
[11804]
[11805]
[11806]
[11807]
[11808]
[11809]
[11810]
[11811]
[11812]
[11813]
[11814]
[11815]
[11816]
[11817]
[11818]
[11819]
[11820]
[11821]
[11822]
[11823]
[11824]
[11825]
[11826]
[11827]
[11828]
[11829]
[11830]
[11831]
[11832]
[11833]
[11834]
[11835]
[11836]
[11837]
[11838]
[11839]
[11840]
[11841]
[11842]
[11843]
[11844]
[11845]
[11846]
[11847]
[11848]
[11849]
[11850]
[11851]
[11852]
[11853]
[11854]
[11855]
[11856]
[11857]
[11858]
[11859]
[11860]
[11861]
[11862]
[11863]
[11864]
[11865]
[11866]
[11867]
[11868]
[11869]
[11870]
[11871]
[11872]
[11873]
[11874]
[11875]
[11876]
[11877]
[11878]
[11879]
[11880]
[11881]
[11882]
[11883]
[11884]
[11885]
[11886]
[11887]
[11888]
[11889]
[11890]
[11891]
[11892]
[11893]
[11894]
[11895]
[11896]
[11897]
[11898]
[11899]
[11900]
[11901]
[11902]
[11903]
[11904]
[11905]
[11906]
[11907]
[11908]
[11909]
[11910]
[11911]
[11912]
[11913]
[11914]
[11915]
[11916]
[11917]
[11918]
[11919]
[11920]
[11921]
[11922]
[11923]
[11924]
[11925]
[11926]
[11927]
[11928]
[11929]
[11930]
[11931]
[11932]
[11933]
[11934]
[11935]
[11936]
[11937]
[11938]
[11939]
[11940]
[11941]
[11942]
[11943]
[11944]
[11945]
[11946]
[11947]
[11948]
[11949]
[11950]
[11951]
[11952]
[11953]
[11954]
[11955]
[11956]
[11957]
[11958]
[11959]
[11960]
[11961]
[11962]
[11963]
[11964]
[11965]
[11966]
[11967]
[11968]
[11969]
[11970]
[11971]
[11972]
[11973]
[11974]
[11975]
[11976]
[11977]
[11978]
[11979]
[11980]
[11981]
[11982]
[11983]
[11984]
[11985]
[11986]
[11987]
[11988]
[11989]
[11990]
[11991]
[11992]
[11993]
[11994]
[11995]
[11996]
[11997]
[11998]
[11999]
[12000]
[12001]
[12002]
[12003]
[12004]
[12005]
[12006]
[12007]
[12008]
[12009]
[12010]
[12011]
[12012]
[12013]
[12014]
[12015]
[12016]
[12017]
[12018]
[12019]
[12020]
[12021]
[12022]
[12023]
[12024]
[12025]
[12026]
[12027]
[12028]
[12029]
[12030]
[12031]
[12032]
[12033]
[12034]
[12035]
[12036]
[12037]
[12038]
[12039]
[12040]
[12041]
[12042]
[12043]
[12044]
[12045]
[12046]
[12047]
[12048]
[12049]
[12050]
[12051]
[12052]
[12053]
[12054]
[12055]
[12056]
[12057]
[12058]
[12059]
[12060]
[12061]
[12062]
[12063]
[12064]
[12065]
[12066]
[12067]
[12068]
[12069]
[12070]
[12071]
[12072]
[12073]
[12074]
[12075]
[12076]
[12077]
[12078]
[12079]
[12080]
[12081]
[12082]
[12083]
[12084]
[12085]
[12086]
[12087]
[12088]
[12089]
[12090]
[12091]
[12092]
[12093]
[12094]
[12095]
[12096]
[12097]
[12098]
[12099]
[12100]
[12101]
[12102]
[12103]
[12104]
[12105]
[12106]
[12107]
[12108]
[12109]
[12110]
[12111]
[12112]
[12113]
[12114]
[12115]
[12116]
[12117]
[12118]
[12119]
[12120]
[12121]
[12122]
[12123]
[12124]
[12125]
[12126]
[12127]
[12128]
[12129]
[12130]
[12131]
[12132]
[12133]
[12134]
[12135]
[12136]
[12137]
[12138]
[12139]
[12140]
[12141]
[12142]
[12143]
[12144]
[12145]
[12146]
[12147]
[12148]
[12149]
[12150]
[12151]
[12152]
[12153]
[12154]
[12155]
[12156]
[12157]
[12158]
[12159]
[12160]
[12161]
[12162]
[12163]
[12164]
[12165]
[12166]
[12167]
[12168]
[12169]
[12170]
[12171]
[12172]
[12173]
[12174]
[12175]
[12176]
[12177]
[12178]
[12179]
[12180]
[12181]
[12182]
[12183]
[12184]
[12185]
[12186]
[12187]
[12188]
[12189]
[12190]
[12191]
[12192]
[12193]
[12194]
[12195]
[12196]
[12197]
[12198]
[12199]
[12200]
[12201]
[12202]
[12203]
[12204]
[12205]
[12206]
[12207]
[12208]
[12209]
[12210]
[12211]
[12212]
[12213]
[12214]
[12215]
[12216]
[12217]
[12218]
[12219]
[12220]
[12221]
[12222]
[12223]
[12224]
[12225]
[12226]
[12227]
[12228]
[12229]
[12230]
[12231]
[12232]
[12233]
[12234]
[12235]
[12236]
[12237]
[12238]
[12239]
[12240]
[12241]
[12242]
[12243]
[12244]
[12245]
[12246]
[12247]
[12248]
[12249]
[12250]
[12251]
[12252]
[12253]
[12254]
[12255]
[12256]
[12257]
[12258]
[12259]
[12260]
[12261]
[12262]
[12263]
[12264]
[12265]
[12266]
[12267]
[12268]
[12269]
[12270]
[12271]
[12272]
[12273]
[12274]
[12275]
[12276]
[12277]
[12278]
[12279]
[12280]
[12281]
[12282]
[12283]
[12284]
[12285]
[12286]
[12287]
[12288]
[12289]
[12290]
[12291]
[12292]
[12293]
[12294]
[12295]
[12296]
[12297]
[12298]
[12299]
[12300]
[12301]
[12302]
[12303]
[12304]
[12305]
[12306]
[12307]
[12308]
[12309]
[12310]
[12311]
[12312]
[12313]
[12314]
[12315]
[12316]
[12317]
[12318]
[12319]
[12320]
[12321]
[12322]
[12323]
[12324]
[12325]
[12326]
[12327]
[12328]
[12329]
[12330]
[12331]
[12332]
[12333]
[12334]
[12335]
[12336]
[12337]
[12338]
[12339]
[12340]
[12341]
[12342]
[12343]
[12344]
[12345]
[12346]
[12347]
[12348]
[12349]
[12350]
[12351]
[12352]
[12353]
[12354]
[12355]
[12356]
[12357]
[12358]
[12359]
[12360]
[12361]
[12362]
[12363]
[12364]
[12365]
[12366]
[12367]
[12368]
[12369]
[12370]
[12371]
[12372]
[12373]
[12374]
[12375]
[12376]
[12377]
[12378]
[12379]
[12380]
[12381]
[12382]
[12383]
[12384]
[12385]
[12386]
[12387]
[12388]
[12389]
[12390]
[12391]
[12392]
[12393]
[12394]
[12395]
[12396]
[12397]
[12398]
[12399]
[12400]
[12401]
[12402]
[12403]
[12404]
[12405]
[12406]
[12407]
[12408]
[12409]
[12410]
[12411]
[12412]
[12413]
[12414]
[12415]
[12416]
[12417]
[12418]
[12419]
[12420]
[12421]
[12422]
[12423]
[12424]
[12425]
[12426]
[12427]
[12428]
[12429]
[12430]
[12431]
[12432]
[12433]
[12434]
[12435]
[12436]
[12437]
[12438]
[12439]
[12440]
[12441]
[12442]
[12443]
[12444]
[12445]
[12446]
[12447]
[12448]
[12449]
[12450]
[12451]
[12452]
[12453]
[12454]
[12455]
[12456]
[12457]
[12458]
[12459]
[12460]
[12461]
[12462]
[12463]
[12464]
[12465]
[12466]
[12467]
[12468]
[12469]
[12470]
[12471]
[12472]
[12473]
[12474]
[12475]
[12476]
[12477]
[12478]
[12479]
[12480]
[12481]
[12482]
[12483]
[12484]
[12485]
[12486]
[12487]
[12488]
[12489]
[12490]
[12491]
[12492]
[12493]
[12494]
[12495]
[12496]
[12497]
[12498]
[12499]
[12500]
[12501]
[12502]
[12503]
[12504]
[12505]
[12506]
[12507]
[12508]
[12509]
[12510]
[12511]
[12512]
[12513]
[12514]
[12515]
[12516]
[12517]
[12518]
[12519]
[12520]
[12521]
[12522]
[12523]
[12524]
[12525]
[12526]
[12527]
[12528]
[12529]
[12530]
[12531]
[12532]
[12533]
[12534]
[12535]
[12536]
[12537]
[12538]
[12539]
[12540]
[12541]
[12542]
[12543]
[12544]
[12545]
[12546]
[12547]
[12548]
[12549]
[12550]
[12551]
[12552]
[12553]
[12554]
[12555]
[12556]
[12557]
[12558]
[12559]
[12560]
[12561]
[12562]
[12563]
[12564]
[12565]
[12566]
[12567]
[12568]
[12569]
[12570]
[12571]
[12572]
[12573]
[12574]
[12575]
[12576]
[12577]
[12578]
[12579]
[12580]
[12581]
[12582]
[12583]
[12584]
[12585]
[12586]
[12587]
[12588]
[12589]
[12590]
[12591]
[12592]
[12593]
[12594]
[12595]
[12596]
[12597]
[12598]
[12599]
[12600]
[12601]
[12602]
[12603]
[12604]
[12605]
[12606]
[12607]
[12608]
[12609]
[12610]
[12611]
[12612]
[12613]
[12614]
[12615]
[12616]
[12617]
[12618]
[12619]
[12620]
[12621]
[12622]
[12623]
[12624]
[12625]
[12626]
[12627]
[12628]
[12629]
[12630]
[12631]
[12632]
[12633]
[12634]
[12635]
[12636]
[12637]
[12638]
[12639]
[12640]
[12641]
[12642]
[12643]
[12644]
[12645]
[12646]
[12647]
[12648]
[12649]
[12650]
[12651]
[12652]
[12653]
[12654]
[12655]
[12656]
[12657]
[12658]
[12659]
[12660]
[12661]
[12662]
[12663]
[12664]
[12665]
[12666]
[12667]
[12668]
[12669]
[12670]
[12671]
[12672]
[12673]
[12674]
[12675]
[12676]
[12677]
[12678]
[12679]
[12680]
[12681]
[12682]
[12683]
[12684]
[12685]
[12686]
[12687]
[12688]
[12689]
[12690]
[12691]
[12692]
[12693]
[12694]
[12695]
[12696]
[12697]
[12698]
[12699]
[12700]
[12701]
[12702]
[12703]
[12704]
[12705]
[12706]
[12707]
[12708]
[12709]
[12710]
[12711]
[12712]
[12713]
[12714]
[12715]
[12716]
[12717]
[12718]
[12719]
[12720]
[12721]
[12722]
[12723]
[12724]
[12725]
[12726]
[12727]
[12728]
[12729]
[12730]
[12731]
[12732]
[12733]
[12734]
[12735]
[12736]
[12737]
[12738]
[12739]
[12740]
[12741]
[12742]
[12743]
[12744]
[12745]
[12746]
[12747]
[12748]
[12749]
[12750]
[12751]
[12752]
[12753]
[12754]
[12755]
[12756]
[12757]
[12758]
[12759]
[12760]
[12761]
[12762]
[12763]
[12764]
[12765]
[12766]
[12767]
[12768]
[12769]
[12770]
[12771]
[12772]
[12773]
[12774]
[12775]
[12776]
[12777]
[12778]
[12779]
[12780]
[12781]
[12782]
[12783]
[12784]
[12785]
[12786]
[12787]
[12788]
[12789]
[12790]
[12791]
[12792]
[12793]
[12794]
[12795]
[12796]
[12797]
[12798]
[12799]
[12800]
[12801]
[12802]
[12803]
[12804]
[12805]
[12806]
[12807]
[12808]
[12809]
[12810]
[12811]
[12812]
[12813]
[12814]
[12815]
[12816]
[12817]
[12818]
[12819]
[12820]
[12821]
[12822]
[12823]
[12824]
[12825]
[12826]
[12827]
[12828]
[12829]
[12830]
[12831]
[12832]
[12833]
[12834]
[12835]
[12836]
[12837]
[12838]
[12839]
[12840]
[12841]
[12842]
[12843]
[12844]
[12845]
[12846]
[12847]
[12848]
[12849]
[12850]
[12851]
[12852]
[12853]
[12854]
[12855]
[12856]
[12857]
[12858]
[12859]
[12860]
[12861]
[12862]
[12863]
[12864]
[12865]
[12866]
[12867]
[12868]
[12869]
[12870]
[12871]
[12872]
[12873]
[12874]
[12875]
[12876]
[12877]
[12878]
[12879]
[12880]
[12881]
[12882]
[12883]
[12884]
[12885]
[12886]
[12887]
[12888]
[12889]
[12890]
[12891]
[12892]
[12893]
[12894]
[12895]
[12896]
[12897]
[12898]
[12899]
[12900]
[12901]
[12902]
[12903]
[12904]
[12905]
[12906]
[12907]
[12908]
[12909]
[12910]
[12911]
[12912]
[12913]
[12914]
[12915]
[12916]
[12917]
[12918]
[12919]
[12920]
[12921]
[12922]
[12923]
[12924]
[12925]
[12926]
[12927]
[12928]
[12929]
[12930]
[12931]
[12932]
[12933]
[12934]
[12935]
[12936]
[12937]
[12938]
[12939]
[12940]
[12941]
[12942]
[12943]
[12944]
[12945]
[12946]
[12947]
[12948]
[12949]
[12950]
[12951]
[12952]
[12953]
[12954]
[12955]
[12956]
[12957]
[12958]
[12959]
[12960]
[12961]
[12962]
[12963]
[12964]
[12965]
[12966]
[12967]
[12968]
[12969]
[12970]
[12971]
[12972]
[12973]
[12974]
[12975]
[12976]
[12977]
[12978]
[12979]
[12980]
[12981]
[12982]
[12983]
[12984]
[12985]
[12986]
[12987]
[12988]
[12989]
[12990]
[12991]
[12992]
[12993]
[12994]
[12995]
[12996]
[12997]
[12998]
[12999]
[13000]
[13001]
[13002]
[13003]
[13004]
[13005]
[13006]
[13007]
[13008]
[13009]
[13010]
[13011]
[13012]
[13013]
[13014]
[13015]
[13016]
[13017]
[13018]
[13019]
[13020]
[13021]
[13022]
[13023]
[13024]
[13025]
[13026]
[13027]
[13028]
[13029]
[13030]
[13031]
[13032]
[13033]
[13034]
[13035]
[13036]
[13037]
[13038]
[13039]
[13040]
[13041]
[13042]
[13043]
[13044]
[13045]
[13046]
[13047]
[13048]
[13049]
[13050]
[13051]
[13052]
[13053]
[13054]
[13055]
[13056]
[13057]
[13058]
[13059]
[13060]
[13061]
[13062]
[13063]
[13064]
[13065]
[13066]
[13067]
[13068]
[13069]
[13070]
[13071]
[13072]
[13073]
[13074]
[13075]
[13076]
[13077]
[13078]
[13079]
[13080]
[13081]
[13082]
[13083]
[13084]
[13085]
[13086]
[13087]
[13088]
[13089]
[13090]
[13091]
[13092]
[13093]
[13094]
[13095]
[13096]
[13097]
[13098]
[13099]
[13100]
[13101]
[13102]
[13103]
[13104]
[13105]
[13106]
[13107]
[13108]
[13109]
[13110]
[13111]
[13112]
[13113]
[13114]
[13115]
[13116]
[13117]
[13118]
[13119]
[13120]
[13121]
[13122]
[13123]
[13124]
[13125]
[13126]
[13127]
[13128]
[13129]
[13130]
[13131]
[13132]
[13133]
[13134]
[13135]
[13136]
[13137]
[13138]
[13139]
[13140]
[13141]
[13142]
[13143]
[13144]
[13145]
[13146]
[13147]
[13148]
[13149]
[13150]
[13151]
[13152]
[13153]
[13154]
[13155]
[13156]
[13157]
[13158]
[13159]
[13160]
[13161]
[13162]
[13163]
[13164]
[13165]
[13166]
[13167]
[13168]
[13169]
[13170]
[13171]
[13172]
[13173]
[13174]
[13175]
[13176]
[13177]
[13178]
[13179]
[13180]
[13181]
[13182]
[13183]
[13184]
[13185]
[13186]
[13187]
[13188]
[13189]
[13190]
[13191]
[13192]
[13193]
[13194]
[13195]
[13196]
[13197]
[13198]
[13199]
[13200]
[13201]
[13202]
[13203]
[13204]
[13205]
[13206]
[13207]
[13208]
[13209]
[13210]
[13211]
[13212]
[13213]
[13214]
[13215]
[13216]
[13217]
[13218]
[13219]
[13220]
[13221]
[13222]
[13223]
[13224]
[13225]
[13226]
[13227]
[13228]
[13229]
[13230]
[13231]
[13232]
[13233]
[13234]
[13235]
[13236]
[13237]
[13238]
[13239]
[13240]
[13241]
[13242]
[13243]
[13244]
[13245]
[13246]
[13247]
[13248]
[13249]
[13250]
[13251]
[13252]
[13253]
[13254]
[13255]
[13256]
[13257]
[13258]
[13259]
[13260]
[13261]
[13262]
[13263]
[13264]
[13265]
[13266]
[13267]
[13268]
[13269]
[13270]
[13271]
[13272]
[13273]
[13274]
[13275]
[13276]
[13277]
[13278]
[13279]
[13280]
[13281]
[13282]
[13283]
[13284]
[13285]
[13286]
[13287]
[13288]
[13289]
[13290]
[13291]
[13292]
[13293]
[13294]
[13295]
[13296]
[13297]
[13298]
[13299]
[13300]
[13301]
[13302]
[13303]
[13304]
[13305]
[13306]
[13307]
[13308]
[13309]
[13310]
[13311]
[13312]
[13313]
[13314]
[13315]
[13316]
[13317]
[13318]
[13319]
[13320]
[13321]
[13322]
[13323]
[13324]
[13325]
[13326]
[13327]
[13328]
[13329]
[13330]
[13331]
[13332]
[13333]
[13334]
[13335]
[13336]
[13337]
[13338]
[13339]
[13340]
[13341]
[13342]
[13343]
[13344]
[13345]
[13346]
[13347]
[13348]
[13349]
[13350]
[13351]
[13352]
[13353]
[13354]
[13355]
[13356]
[13357]
[13358]
[13359]
[13360]
[13361]
[13362]
[13363]
[13364]
[13365]
[13366]
[13367]
[13368]
[13369]
[13370]
[13371]
[13372]
[13373]
[13374]
[13375]
[13376]
[13377]
[13378]
[13379]
[13380]
[13381]
[13382]
[13383]
[13384]
[13385]
[13386]
[13387]
[13388]
[13389]
[13390]
[13391]
[13392]
[13393]
[13394]
[13395]
[13396]
[13397]
[13398]
[13399]
[13400]
[13401]
[13402]
[13403]
[13404]
[13405]
[13406]
[13407]
[13408]
[13409]
[13410]
[13411]
[13412]
[13413]
[13414]
[13415]
[13416]
[13417]
[13418]
[13419]
[13420]
[13421]
[13422]
[13423]
[13424]
[13425]
[13426]
[13427]
[13428]
[13429]
[13430]
[13431]
[13432]
[13433]
[13434]
[13435]
[13436]
[13437]
[13438]
[13439]
[13440]
[13441]
[13442]
[13443]
[13444]
[13445]
[13446]
[13447]
[13448]
[13449]
[13450]
[13451]
[13452]
[13453]
[13454]
[13455]
[13456]
[13457]
[13458]
[13459]
[13460]
[13461]
[13462]
[13463]
[13464]
[13465]
[13466]
[13467]
[13468]
[13469]
[13470]
[13471]
[13472]
[13473]
[13474]
[13475]
[13476]
[13477]
[13478]
[13479]
[13480]
[13481]
[13482]
[13483]
[13484]
[13485]
[13486]
[13487]
[13488]
[13489]
[13490]
[13491]
[13492]
[13493]
[13494]
[13495]
[13496]
[13497]
[13498]
[13499]
[13500]
[13501]
[13502]
[13503]
[13504]
[13505]
[13506]
[13507]
[13508]
[13509]
[13510]
[13511]
[13512]
[13513]
[13514]
[13515]
[13516]
[13517]
[13518]
[13519]
[13520]
[13521]
[13522]
[13523]
[13524]
[13525]
[13526]
[13527]
[13528]
[13529]
[13530]
[13531]
[13532]
[13533]
[13534]
[13535]
[13536]
[13537]
[13538]
[13539]
[13540]
[13541]
[13542]
[13543]
[13544]
[13545]
[13546]
[13547]
[13548]
[13549]
[13550]
[13551]
[13552]
[13553]
[13554]
[13555]
[13556]
[13557]
[13558]
[13559]
[13560]
[13561]
[13562]
[13563]
[13564]
[13565]
[13566]
[13567]
[13568]
[13569]
[13570]
[13571]
[13572]
[13573]
[13574]
[13575]
[13576]
[13577]
[13578]
[13579]
[13580]
[13581]
[13582]
[13583]
[13584]
[13585]
[13586]
[13587]
[13588]
[13589]
[13590]
[13591]
[13592]
[13593]
[13594]
[13595]
[13596]
[13597]
[13598]
[13599]
[13600]
[13601]
[13602]
[13603]
[13604]
[13605]
[13606]
[13607]
[13608]
[13609]
[13610]
[13611]
[13612]
[13613]
[13614]
[13615]
[13616]
[13617]
[13618]
[13619]
[13620]
[13621]
[13622]
[13623]
[13624]
[13625]
[13626]
[13627]
[13628]
[13629]
[13630]
[13631]
[13632]
[13633]
[13634]
[13635]
[13636]
[13637]
[13638]
[13639]
[13640]
[13641]
[13642]
[13643]
[13644]
[13645]
[13646]
[13647]
[13648]
[13649]
[13650]
[13651]
[13652]
[13653]
[13654]
[13655]
[13656]
[13657]
[13658]
[13659]
[13660]
[13661]
[13662]
[13663]
[13664]
[13665]
[13666]
[13667]
[13668]
[13669]
[13670]
[13671]
[13672]
[13673]
[13674]
[13675]
[13676]
[13677]
[13678]
[13679]
[13680]
[13681]
[13682]
[13683]
[13684]
[13685]
[13686]
[13687]
[13688]
[13689]
[13690]
[13691]
[13692]
[13693]
[13694]
[13695]
[13696]
[13697]
[13698]
[13699]
[13700]
[13701]
[13702]
[13703]
[13704]
[13705]
[13706]
[13707]
[13708]
[13709]
[13710]
[13711]
[13712]
[13713]
[13714]
[13715]
[13716]
[13717]
[13718]
[13719]
[13720]
[13721]
[13722]
[13723]
[13724]
[13725]
[13726]
[13727]
[13728]
[13729]
[13730]
[13731]
[13732]
[13733]
[13734]
[13735]
[13736]
[13737]
[13738]
[13739]
[13740]
[13741]
[13742]
[13743]
[13744]
[13745]
[13746]
[13747]
[13748]
[13749]
[13750]
[13751]
[13752]
[13753]
[13754]
[13755]
[13756]
[13757]
[13758]
[13759]
[13760]
[13761]
[13762]
[13763]
[13764]
[13765]
[13766]
[13767]
[13768]
[13769]
[13770]

<!DOCTYPE html>
<!-- WASDOC AXP-2.0.0 (CGILIB AXP-1.9.9) -->
<!-- wasDOC Copyright (C) 2019,2020 Mark G.Daniel - Apache-2.0 licenced -->
<!--  3-NOV-2021 02:50 -->
<noscript>NOTE: SOME FUNCTIONALITY EMPLOYS JAVASCRIPT</noscript>
<div id="erreport1" style="display:none;"></div>
<script>
function errorReport(string) {
   for (var cnt = 1; cnt <= 2; cnt++) {
      var err = document.getElementById('erreport'+cnt);
      err.style.display = 'block';
      err.innerHTML += string;
   }
}
</script>
<style type="text/css">
html { font-family: arial, verdana, sans-serif; font-size:12pt; margin:1em; }
h1 { font-size:124%; font-style:bold;
     margin-top:1em; margin-bottom:0.5em; }
h2 { font-size:120%; font-style:bold;
     margin-top:1.1em; margin-bottom:0.4em; }
h3 { font-size:116%; font-style:bold;
     margin-top:1.0em; margin-bottom:0.3em; }
h4 { font-size:112%; font-style:bold;
     margin-top:1.1em; margin-bottom:0.3em; }
h5 { font-size:112%; font-style:bold; 
     margin-top:1.1em; margin-bottom:0.3em; }
h6 { font-size:112%; font-style:bold; padding:0; margin:0; }

h1 .text { text-decoration:underline; }
h1 .numb { padding-right:0.8em; }
h1 .numb:empty { display:none; padding-right:0; }
h2 .numb { padding-right:0.8em; }
h2 .numb:empty { display:none; padding-right:0; }
h3 .numb { padding-right:0.8em; }
h3 .numb:empty { display:none; padding-right:0; }
h4 .numb { padding-right:0.8em; }
h4 .numb:empty { display:none; padding-right:0; }
h5 .numb { display:none; padding-right:0; }
h6 .numb { display:none; padding-right:0; }

kbd { font-family:monospace; }

noscript { font-size:1.2em; }

p { line-height:1.1em; margin-top:1em; margin-bottom:1em; }

.chunk { font-size:130%; text-decoration:underline; }
.head {}
.high {}
.bold { font-weight:bold; }
.center { text-align:center; }
.italic { font-style:italic; }
.left { text-align:left; }
.nowrap { white-space:nowrap; }
.prewrap { white-space:pre; }
.right { text-align:right; }
.strike { text-decoration:line-through; }
.under { text-decoration:underline; }

.backlight { background-color:#f2f2f2; }
.display0 { display:none; }

img { max-width:100%; }
.imglink { }

.link { }
.blank { }

.list { margin-bottom:1em; }
.list li { margin-top:0.5em; }
.list0 li { margin-top:0; }
.item {}

.tabl { border-collapse:collapse; text-align:left; margin:0.4em 2em 0.5em 2em; }
.tabu { border-collapse:collapse; text-align:right; margin:0.4em 2em 0.5em 2em; }

.tabr { vertical-align:top; }
.tabh { padding:0.2em 0 0 2em; margin:0; }
.tabd { padding:0.1em 0 0 2em; margin:0; }
.tabh:first-of-type, td:first-of-type { padding-left:0; }

.tabu .tabh,
.tabu .tabd { border:1px solid gray; padding:0.2em 0.3em 0.2em 0.3em; }
.tab0 { border:none; visibility:hidden; max-width:1em; 
        white-space:nowrap; overflow:hidden; }

.tabauto { margin-left:auto; margin-right:auto; }

.tabr:empty { height:0.2em; }
.tabu .tabh:empty, .tabu .tabd:empty { border:none; visibility:hidden; }

.error { font-size:110%; color:black; background-color:yellow;
         font-family:sans-serif; font-weight:bold; font-style:normal;
         width:95%; border:solid 1px gray; padding:0.5em 1em 0.5em 1em; }
.error::before { content:'\026a0\00a0'; }
.image { }
.page { width:98%; border:1px dashed gray; margin:1.5em 0 1.8em 0; }
.epage { width:98%; border:1px dashed black; margin:1.5em 0 1.8em 0; }
.monosp { font-family:monospace; }
.ppage { display:none; }
.simple { list-style-type:none; }
.valtop { vertical-align:top; }
.valmid { vertical-align:middle; }
.valbot { vertical-align:bottom; }

.code { border-style:solid; border-width:0 0 0 1px; padding-left:1em;
        font-family:monospace; white-space:pre; }
.block { }
.blockof { margin:0.4em 2em 0.5em 2em; }
.example { border-style:dashed; border-width:0 0 0 1px; padding-left:1em;
           margin-top:0.5em; margin-bottom:0.5em; white-space:pre; }
.indent { margin-left:2em; margin-right:2em; }
.noindent { margin-left:0; margin-right:0; }
.inblock { display:inline-block; }
.mono { white-space:pre; font-family:monospace; }
.note { margin:0.4em 2em 0.5em 2em; page-break-inside:avoid; }
.note h5 { margin-top:0 }
.note_hr { width:80%; border:1px solid gray; }
.prop { padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; }
.quote { border-style:dashed; border-width:0 0 0 1px; padding-left:1em;
         margin-top:0.5em; margin-bottom:0.5em; }
.this { display:none; }

a:link,a:visited { color:black; text-decoration:none; }
a:hover,a:active { text-decoration:underline; }
a:focus { outline:0; } 

:target:before { content:''; display:block; height:0.1em; margin:-0.1em; }
a.link:link, a.link:visited,a.link:active 
{ color:midnightBlue; text-decoration:underline; text-decoration-style:solid; }

.TOC1cols1 { width:80%; max-width:80%; }
.TOC1cols2 { column-count:2; width:80%; max-width:80%; }
.TOC1cols3 { column-count:3; max-width:90%; max-width:90%; }
.TOC1cols4 { column-count:4; max-width:100%; max-width:100%; }
.TOC1table { margin-left:2em; white-space:nowrap; break-inside:auto; }
.TOC1table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.TOC1table td+td { padding:0 0 0 0.5em; }
.TOC1table .numb { width:3em; max-width:3em; }
.TOC1table .sepr { width:5em; max-width:6em; overflow:hidden; }
.TOC1table .majr { font-weight:bold; }
.TOC1table .text { white-space:normal; }

/* These are due to Firefox (at least <= 76) recalcitrant multi-column handling.
   Web search "Split table into css columns, issue in Firefox" (stackoverflow).
   "Good grief, Charlie Brown!" */
 
.TOC1cols2 table,
.TOC1cols2 tbody,
.TOC1cols2 tr,
.TOC1cols3 table,
.TOC1cols3 tbody,
.TOC1cols3 tr,
.TOC1cols4 table,
.TOC1cols4 tbody,
.TOC1cols4 tr { display:block; padding:0; }

.TOC2cols1 { width:60%; max-width:60%; }
.TOC2cols2 { column-count:2; width:70%; max-width:70%; }
.TOC2cols3 { column-count:3; width:80%; max-width:80%; }
.TOC2cols4 { column-count:4; width:90%; max-width:90%; }
.TOC2table { margin-left:2em; white-space:nowrap; break-inside:auto; }
.TOC2table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.TOC2table .numb { font-weight:bold; padding-right:0.5em; }
.TOC2table .text { width:100%; white-space:normal; }

/* see "recalcitrant" above */
.TOC2cols2 table,
.TOC2cols2 tbody,
.TOC2cols2 tr,
.TOC2cols3 table,
.TOC2cols3 tbody,
.TOC2cols3 tr,
.TOC2cols4 table,
.TOC2cols4 tbody,
.TOC2cols4 tr { display:block; padding:0; }

.NAVtable { margin:0.1em 0 0 2em; }
.NAVtable td { font-size:110%; font-weight:bold; padding:0; margin:0; }
.NAVtable a { padding:0 0.5em 0 0.5em; text-decoration:none; }

.IDXcols1 { width:80%; max-width:80%; }
.IDXcols2 { column-count:2; width:90%; max-width:90%; }
.IDXcols3 { column-count:3; width:95%; max-width:95%;  }
.IDXcols4 { column-count:4; width:100%; max-width:100%;  }
.IDXtable { margin:1em 0 1em 2em; white-space:nowrap; break-inside:auto; }
.IDXtable tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; }
.IDXtable .alpha { font-weight:bold; min-width:2em; }
.IDXtable .text  { width:100%; white-space:normal; }
.IDXtable .para:before { content:'\00b6\00a0'; }

/* see "recalcitrant" above */
.IDXcols2 table,
.IDXcols2 tbody,
.IDXcols2 tr,
.IDXcols3 table,
.IDXcols3 tbody,
.IDXcols3 tr,
.IDXcols4 table,
.IDXcols4 tbody,
.IDXcols4 tr { display:block; padding:0; }

.insight { background-color:cyan; font-family:monospace;
           padding:0 0.2em 0 0.2em; margin:0 0.2em 0 0.2em;
           font-size:100%; font-style:normal; font-weight:normal;
           text-decoration:none; }

.wasdoc { font-family: "Lucida Console", Monaco, monospace; 
          letter-spacing:-0.07em; }

@media screen { .blank::after { content:"\2924"; } 
                .print { display:none; }
}

@media print {
   table { page-break-inside:avoid; }
   .noprint { display:none; }
   .page { border:none; page-break-after: always; }
   .epage { display:none; }
   .ppage { page-break-after:always; }
   .NAVtable { display:none; }
   .NAVprint { display:block!important; }
}

@page { margin:2cm 1cm 2cm 1cm;  }
</style>
<!-- source:0000_features.WASDOC -->

<style type="text/css">._smiley::after { font-size:150%; vertical-align:middle; content:'\263a' }</style>
<style type="text/css">._frowny::after { font-size:150%; vertical-align:middle; content:'\2639' }</style>
<style type="text/css">._button { border: 1px gray solid; border-radius:3px; padding:0.1em; margin:0.1em; font-size:90%; }</style>

<a id="0." href="#"></a>
<a id="0.0.0.0.1" href="#"></a>
<a id="0.wasdfeaturesandfacilities" href="#"></a>
<a id="wasdfeaturesandfacilities" href="#"></a>
<h1 class="head" style="font-size:140%;"><span class="text">WASD Features and Facilities</span></h1>

<p> For version 12.0 release of WASD VMS Web Services.

<p> Published November 2021

<p> Document generated using <span class="high wasdoc">wasDOC</span> version 2.0.0

<a id="0.0.0.0.2" href="#"></a>
<a id="0.abstract" href="#"></a>
<a id="abstract" href="#"></a>
<h5 class="head"><span class="text">Abstract</span></h5>

<p> This document describes the more significant features and facilities
available with the WASD Web Services package.

<p> For installation and update details see
<a class="link blank" target="_blank" href="../features/">WASD Web Services - Installation</a>

<p> For detailed configuration information see
<a class="link blank" target="_blank" href="../config/">WASD Web Services - Configuration</a>

<p> For information on CGI, CGIplus, ISAPI, OSU, etc., scripting, see
<a class="link blank" target="_blank" href="../scripting/">WASD Web Services - Scripting</a>

<p> And for a description of WASD Web document, SSI and directory listing
behaviours and options, <a class="link blank" target="_blank" href="../env/">WASD Web Services - Environment</a>

<a id="0.0.0.0.3" href="#"></a>
<a id="0.onlinesearch" href="#"></a>
<a id="onlinesearch" href="#"></a>
<h5 class="head"><span class="text">Online Search</span></h5>
<p>
<table class="tabl noindent" style="border:1px #808080 solid;background-color:#eeeeee;margin-bottom:1.5em;">
<tr class="tabr">
<td class="tabd" style="padding:0.5em;"><form action="/cgi-bin/query/wasd_root/wasdoc/features/*.html" target="_top">
<input type="submit" value="Search for:">&nbsp;
<input type="text" name="search" size="20">&nbsp;
<input type="reset" value="Reset">
</form>
</table>

<p> <span class="high bold">WASD VMS Web Services &ndash; Copyright &copy; 1996-2021 Mark G. Daniel</span>

<a id="0.0.0.0.3.1" href="#"></a>
<a id="0.apachelicenseversion20" href="#"></a>
<a id="apachelicenseversion20" href="#"></a>
<h6 class="head display0"><span class="text">Apache License, Version 2.0</span></h6>
<a id="0.0.0.0.3.2" href="#"></a>
<a id="0.license" href="#"></a>
<a id="license" href="#"></a>
<h6 class="head display0"><span class="text">License</span></h6>
<p> Licensed under the <span class="high bold">Apache License</span>, Version 2.0 (the &quot;License&quot;);
<div class="blockof quote" style="font-size:0.9em;width:49em;margin:-0.5em 0 0 1em;">you may not use this software except in compliance with the License.
You may obtain a copy of the License at
<p> <a class="link blank" target="_blank" style="margin-left:1em;" href="https://www.apache.org/licenses/LICENSE-2.0">https://www.apache.org/licenses/LICENSE-2.0</a>
<p> Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an &quot;AS IS&quot; BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
</div>

<p> <a class="link" href="mailto:Mark.Daniel@wasd.vsm.com.au">Mark.Daniel@wasd.vsm.com.au</a>
<br> <span class="high bold italic">A pox on the houses of all spamers.  Make that two poxes.</span>

<p> All copyright and trademarks within this document belong to their rightful
owners.  See <a class="link" href="#15.attributionandacknowledgement">15. Attribution and Acknowledgement</a>.


<p> This is a static (file), single document.
<br> Alternative <a class="link" href="/wasd_root/wasdoc/features/features.html">multi-part</a> static
and <a class="link" href="/cgi-bin/wasdoc/wasd_root/wasdoc/features/">dynamic</a> documents.

<br> Links followed by &#10532; open in a new page.

<a id="0.0.0.0.4.2" href="#"></a>
<a id="0.tableofcontent" href="#"></a>
<a id="tableofcontent" href="#"></a>
<h1 class="head" style="font-size:120%;"><span class="text">Table of Content</span></h1>


<div class="TOC1cols2">
<table class="TOC1table">
<tr><td class="sepr"><a href="#1.introduction">1.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#1.introduction">Introduction</a>
<tr><td class="sepr"><a href="#1.1.troubleshooting">1.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#1.1.troubleshooting">Troubleshooting?</a>
<tr><td class="sepr"><a href="#2.packageoverview">2.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#2.packageoverview">Package Overview</a>
<tr><td class="sepr"><a href="#2.1.serverbehaviour">2.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#2.1.serverbehaviour">Server Behaviour</a>
<tr><td class="sepr"><a href="#2.2.vmsversions">2.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#2.2.vmsversions">VMS Versions</a>
<tr><td class="sepr"><a href="#2.3.tcpippackages">2.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#2.3.tcpippackages">TCP/IP Packages</a>
<tr><td class="sepr"><a href="#2.4.internationalfeatures">2.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#2.4.internationalfeatures">International Features</a>
<tr><td class="sepr"><a href="#3.authenticationandauthorization">3.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#3.authenticationandauthorization">Authentication and Authorization</a>
<tr><td class="sepr"><a href="#3.1.ruleinterpretation">3.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.1.ruleinterpretation">Rule Interpretation</a>
<tr><td class="sepr"><a href="#3.2.authenticationpolicy">3.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.2.authenticationpolicy">Authentication Policy</a>
<tr><td class="sepr"><a href="#3.3.permissionspathanduser">3.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.3.permissionspathanduser">Permissions, Path and User</a>
<tr><td class="sepr"><a href="#3.4.authorizationconfigurationfile">3.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.4.authorizationconfigurationfile">Authorization Configuration File</a>
<tr><td class="sepr"><a href="#3.5.authenticationsources">3.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.5.authenticationsources">Authentication Sources</a>
<tr><td class="sepr"><a href="#3.6.realmfullaccessreadonly">3.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.6.realmfullaccessreadonly">Realm, Full-Access, Read-Only</a>
<tr><td class="sepr"><a href="#3.7.virtualservers">3.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.7.virtualservers">Virtual Servers</a>
<tr><td class="sepr"><a href="#3.8.authorizationconfigurationexamples">3.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.8.authorizationconfigurationexamples">Authorization Configuration Examples</a>
<tr><td class="sepr"><a href="#3.8.1.kiss">3.8.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.8.1.kiss">KISS</a>
<tr><td class="sepr"><a href="#3.9.authorizationcache">3.9</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.9.authorizationcache">Authorization Cache</a>
<tr><td class="sepr"><a href="#3.10.sysuafauthenticatedusers">3.10</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.sysuafauthenticatedusers">SYSUAF-Authenticated Users</a>
<tr><td class="sepr"><a href="#3.10.1.acme">3.10.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.1.acme">ACME</a>
<tr><td class="sepr"><a href="#3.10.2.logontype">3.10.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.2.logontype">Logon Type</a>
<tr><td class="sepr"><a href="#3.10.3.rightsidentifiers">3.10.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.3.rightsidentifiers">Rights Identifiers</a>
<tr><td class="sepr"><a href="#3.10.4.wasdquothardwiredquotidentifiers">3.10.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.4.wasdquothardwiredquotidentifiers">WASD &quot;Hard-Wired&quot; Identifiers</a>
<tr><td class="sepr"><a href="#3.10.5.vmsaccountproxying">3.10.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.5.vmsaccountproxying">VMS Account Proxying</a>
<tr><td class="sepr"><a href="#3.10.6.nilaccessvmsaccounts">3.10.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.6.nilaccessvmsaccounts">Nil-Access VMS Accounts</a>
<tr><td class="sepr"><a href="#3.10.7.sysuafandssl">3.10.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.7.sysuafandssl">SYSUAF and SSL</a>
<tr><td class="sepr"><a href="#3.10.8.sysuafsecurityprofile">3.10.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.8.sysuafsecurityprofile">SYSUAF Security Profile</a>
<tr><td class="sepr"><a href="#3.10.9.sysuafprofileforfullsiteaccess">3.10.9</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.10.9.sysuafprofileforfullsiteaccess">SYSUAF Profile For Full Site Access</a>
<tr><td class="sepr"><a href="#3.11.tokenauthentication">3.11</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.11.tokenauthentication">Token Authentication</a>
<tr><td class="sepr"><a href="#3.12.skeletonkeyauthentication">3.12</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.12.skeletonkeyauthentication">Skeleton-Key Authentication</a>
<tr><td class="sepr"><a href="#3.13.controllingserverwriteaccess">3.13</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.13.controllingserverwriteaccess">Controlling Server Write Access</a>
<tr><td class="sepr"><a href="#3.14.securingallrequests">3.14</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.14.securingallrequests">Securing All Requests</a>
<tr><td class="sepr"><a href="#3.15.userpasswordmodification">3.15</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.15.userpasswordmodification">User Password Modification</a>
<tr><td class="sepr"><a href="#3.16.cancellingauthorization">3.16</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#3.16.cancellingauthorization">Cancelling Authorization</a>
<tr><td class="sepr"><a href="#4.transportlayersecurity">4.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#4.transportlayersecurity">Transport Layer Security</a>
<tr><td class="sepr"><a href="#4.1.letsencrypt">4.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.1.letsencrypt">Let's Encrypt</a>
<tr><td class="sepr"><a href="#4.2.tlssslfunctionalitysources">4.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.2.tlssslfunctionalitysources">TLS/SSL Functionality Sources</a>
<tr><td class="sepr"><a href="#4.3.wasdsslquickstart">4.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.3.wasdsslquickstart">WASD SSL Quick-Start</a>
<tr><td class="sepr"><a href="#4.4.opensslexeapplication">4.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.4.opensslexeapplication">OPENSSL.EXE Application</a>
<tr><td class="sepr"><a href="#4.5.sslconfiguration">4.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.sslconfiguration">SSL Configuration</a>
<tr><td class="sepr"><a href="#4.5.1.wasdconfigservice">4.5.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.1.wasdconfigservice">WASD_CONFIG_SERVICE</a>
<tr><td class="sepr"><a href="#4.5.2.tlssslversions">4.5.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.2.tlssslversions">TLS/SSL Versions</a>
<tr><td class="sepr"><a href="#4.5.3.sslciphers">4.5.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.3.sslciphers">SSL Ciphers</a>
<tr><td class="sepr"><a href="#4.5.4.openssloptions">4.5.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.4.openssloptions">(Open)SSL Options</a>
<tr><td class="sepr"><a href="#4.5.5.forwardsecrecy">4.5.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.5.forwardsecrecy">Forward Secrecy</a>
<tr><td class="sepr"><a href="#4.5.6.sessionresumption">4.5.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.6.sessionresumption">Session Resumption</a>
<tr><td class="sepr"><a href="#4.5.7.stricttransportsecurity">4.5.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.7.stricttransportsecurity">Strict Transport Security</a>
<tr><td class="sepr"><a href="#4.5.8.sslservercertificate">4.5.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.8.sslservercertificate">SSL Server Certificate</a>
<tr><td class="sepr"><a href="#4.5.9.sslprivatekey">4.5.9</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.9.sslprivatekey">SSL Private Key</a>
<tr><td class="sepr"><a href="#4.5.10.sslvirtualservices">4.5.10</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.10.sslvirtualservices">SSL Virtual Services</a>
<tr><td class="sepr"><a href="#4.5.11.sslaccesscontrol">4.5.11</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.11.sslaccesscontrol">SSL Access Control</a>
<tr><td class="sepr"><a href="#4.5.12.authorizationusingx509certification">4.5.12</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.12.authorizationusingx509certification">Authorization Using X.509 Certification</a>
<tr><td class="sepr"><a href="#4.5.13.x509certificaterenegotiation">4.5.13</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.13.x509certificaterenegotiation">X.509 Certificate Renegotiation</a>
<tr><td class="sepr"><a href="#4.5.14.features">4.5.14</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.14.features">Features</a>
<tr><td class="sepr"><a href="#4.5.15.subjectalternativenameandotherextensions">4.5.15</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.15.subjectalternativenameandotherextensions">Subject Alternative Name and Other Extensions</a>
<tr><td class="sepr"><a href="#4.5.16.x509configuration">4.5.16</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.16.x509configuration">X509 Configuration</a>
<tr><td class="sepr"><a href="#4.5.17.certificateauthorityverificationfile">4.5.17</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.17.certificateauthorityverificationfile">Certificate Authority Verification File</a>
<tr><td class="sepr"><a href="#4.5.18.x509authorizationcgivariables">4.5.18</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.5.18.x509authorizationcgivariables">X.509 Authorization CGI Variables</a>
<tr><td class="sepr"><a href="#4.6.certificatemanagement">4.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.6.certificatemanagement">Certificate Management</a>
<tr><td class="sepr"><a href="#4.6.1.servercertificate">4.6.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.6.1.servercertificate">Server Certificate</a>
<tr><td class="sepr"><a href="#4.6.2.certificatesigningrequest">4.6.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.6.2.certificatesigningrequest">Certificate Signing Request</a>
<tr><td class="sepr"><a href="#4.7.sslcgivariables">4.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.7.sslcgivariables">SSL CGI Variables</a>
<tr><td class="sepr"><a href="#4.8.sslserviceevaluation">4.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.8.sslserviceevaluation">SSL Service Evaluation</a>
<tr><td class="sepr"><a href="#4.9.sslreferences">4.9</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#4.9.sslreferences">SSL References</a>
<tr><td class="sepr"><a href="#5.http2">5.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#5.http2">HTTP/2</a>
<tr><td class="sepr"><a href="#5.1.wasdhttp2">5.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#5.1.wasdhttp2">WASD HTTP/2</a>
<tr><td class="sepr"><a href="#5.2.http2andperformance">5.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#5.2.http2andperformance">HTTP/2 and Performance</a>
<tr><td class="sepr"><a href="#5.3.http2configuration">5.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#5.3.http2configuration">HTTP/2 Configuration</a>
<tr><td class="sepr"><a href="#5.3.1.globalconfiguration">5.3.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#5.3.1.globalconfiguration">Global Configuration</a>
<tr><td class="sepr"><a href="#5.3.2.serviceconfiguration">5.3.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#5.3.2.serviceconfiguration">Service Configuration</a>
<tr><td class="sepr"><a href="#5.3.3.http2setrules">5.3.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#5.3.3.http2setrules">HTTP/2 Set Rules</a>
<tr><td class="sepr"><a href="#5.4.http2detection">5.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#5.4.http2detection">HTTP/2 Detection</a>
<tr><td class="sepr"><a href="#5.5.http2references">5.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#5.5.http2references">HTTP/2 References</a>
<tr><td class="sepr"><a href="#6.webdav">6.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#6.webdav">WebDAV</a>
<tr><td class="sepr"><a href="#6.1.httpmethodssupported">6.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.1.httpmethodssupported">HTTP Methods Supported</a>
<tr><td class="sepr"><a href="#6.1.1.copyrestrictions">6.1.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.1.1.copyrestrictions">COPY Restrictions</a>
<tr><td class="sepr"><a href="#6.1.2.deleterestrictions">6.1.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.1.2.deleterestrictions">DELETE Restrictions</a>
<tr><td class="sepr"><a href="#6.1.3.moverestrictions">6.1.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.1.3.moverestrictions">MOVE Restrictions</a>
<tr><td class="sepr"><a href="#6.1.4.ifrestrictions">6.1.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.1.4.ifrestrictions">If: Restrictions</a>
<tr><td class="sepr"><a href="#6.2.webdavconfiguration">6.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.2.webdavconfiguration">WebDAV Configuration</a>
<tr><td class="sepr"><a href="#6.2.1.webdavsetrules">6.2.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.2.1.webdavsetrules">WebDAV Set Rules</a>
<tr><td class="sepr"><a href="#6.2.2.filenaming">6.2.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.2.2.filenaming">File Naming</a>
<tr><td class="sepr"><a href="#6.2.3.filesystemaccess">6.2.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.2.3.filesystemaccess">File-system Access</a>
<tr><td class="sepr"><a href="#6.2.4.filesystemauthorisation">6.2.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.2.4.filesystemauthorisation">File-system Authorisation</a>
<tr><td class="sepr"><a href="#6.2.5.concurrentauthorisation">6.2.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.2.5.concurrentauthorisation">Concurrent Authorisation</a>
<tr><td class="sepr"><a href="#6.2.6.realworldexample">6.2.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.2.6.realworldexample">Real-World Example</a>
<tr><td class="sepr"><a href="#6.3.webdavmetadata">6.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.3.webdavmetadata">WebDAV Metadata</a>
<tr><td class="sepr"><a href="#6.4.webdavlocking">6.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.4.webdavlocking">WebDAV Locking</a>
<tr><td class="sepr"><a href="#6.5.somewrinkles">6.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.5.somewrinkles">Some Wrinkles</a>
<tr><td class="sepr"><a href="#6.5.1.osxfinder">6.5.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.5.1.osxfinder">OS X Finder</a>
<tr><td class="sepr"><a href="#6.5.2.gnomegvfsnautilus">6.5.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.5.2.gnomegvfsnautilus">Gnome/gvfs/Nautilus</a>
<tr><td class="sepr"><a href="#6.5.3.dreamweaver">6.5.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.5.3.dreamweaver">Dreamweaver</a>
<tr><td class="sepr"><a href="#6.6.microsoftmiscellanea">6.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.microsoftmiscellanea">Microsoft Miscellanea</a>
<tr><td class="sepr"><a href="#6.6.1.mapping">6.6.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.1.mapping">Mapping</a>
<tr><td class="sepr"><a href="#6.6.2.frontpageextensions">6.6.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.2.frontpageextensions">FrontPage Extensions</a>
<tr><td class="sepr"><a href="#6.6.3.avoidingmicrosoftpropertyclutter">6.6.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.3.avoidingmicrosoftpropertyclutter">Avoiding Microsoft Property Clutter</a>
<tr><td class="sepr"><a href="#6.6.4.optionsheaderquotmsauthorviadavquot">6.6.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.4.optionsheaderquotmsauthorviadavquot">OPTIONS header &quot;MS-Author-Via: DAV&quot;</a>
<tr><td class="sepr"><a href="#6.6.5.repairingbrokenxpwebfolders">6.6.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.5.repairingbrokenxpwebfolders">Repairing broken XP Web Folders</a>
<tr><td class="sepr"><a href="#6.6.6.addingaportnumbertothewebfolderaddress">6.6.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.6.addingaportnumbertothewebfolderaddress">Adding a port number to the webfolder-address</a>
<tr><td class="sepr"><a href="#6.6.7.addinganumbersignquotquottothewebfolderaddress">6.6.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.7.addinganumbersignquotquottothewebfolderaddress">Adding a number-sign (&quot;#&quot;) to the webfolder-address</a>
<tr><td class="sepr"><a href="#6.6.8.forcewindowsxptousebasicauthentication">6.6.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.8.forcewindowsxptousebasicauthentication">Force Windows XP to use Basic Authentication</a>
<tr><td class="sepr"><a href="#6.6.9.microsoftxpexplorerbasicauthentication">6.6.9</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.9.microsoftxpexplorerbasicauthentication">Microsoft XP Explorer BASIC Authentication</a>
<tr><td class="sepr"><a href="#6.6.10.microsoftwindows7basicauthentication">6.6.10</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.10.microsoftwindows7basicauthentication">Microsoft Windows 7 BASIC Authentication</a>
<tr><td class="sepr"><a href="#6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved">6.6.11</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved">Error 0x800700DF: The file size exceeds the limit allowed and cannot be saved</a>
<tr><td class="sepr"><a href="#6.7.references">6.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#6.7.references">References</a>
<tr><td class="sepr"><a href="#7.proxyservices">7.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#7.proxyservices">Proxy Services</a>
<tr><td class="sepr"><a href="#7.1.httpproxyserving">7.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.1.httpproxyserving">HTTP Proxy Serving</a>
<tr><td class="sepr"><a href="#7.1.1.enablingaproxyservice">7.1.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.1.1.enablingaproxyservice">Enabling A Proxy Service</a>
<tr><td class="sepr"><a href="#7.1.2.proxyaffinity">7.1.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.1.2.proxyaffinity">Proxy Affinity</a>
<tr><td class="sepr"><a href="#7.1.3.proxybind">7.1.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.1.3.proxybind">Proxy Bind</a>
<tr><td class="sepr"><a href="#7.1.4.proxychaining">7.1.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.1.4.proxychaining">Proxy Chaining</a>
<tr><td class="sepr"><a href="#7.1.5.controllingproxyserving">7.1.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.1.5.controllingproxyserving">Controlling Proxy Serving</a>
<tr><td class="sepr"><a href="#7.2.proxycache">7.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.2.proxycache">Proxy Cache</a>
<tr><td class="sepr"><a href="#7.3.connectserving">7.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.3.connectserving">CONNECT Serving</a>
<tr><td class="sepr"><a href="#7.3.1.enablingconnectserving">7.3.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.3.1.enablingconnectserving">Enabling CONNECT Serving</a>
<tr><td class="sepr"><a href="#7.3.2.controllingconnectserving">7.3.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.3.2.controllingconnectserving">Controlling CONNECT Serving</a>
<tr><td class="sepr"><a href="#7.4.socksversion5">7.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.4.socksversion5">SOCKS Version 5</a>
<tr><td class="sepr"><a href="#7.5.ftpproxyserving">7.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.5.ftpproxyserving">FTP Proxy Serving</a>
<tr><td class="sepr"><a href="#7.5.1.ftpquerystringkeywords">7.5.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.5.1.ftpquerystringkeywords">FTP Query String Keywords</a>
<tr><td class="sepr"><a href="#7.5.2.quotloginquotkeyword">7.5.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.5.2.quotloginquotkeyword">&quot;login&quot; Keyword</a>
<tr><td class="sepr"><a href="#7.6.gatewayingusingproxy">7.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.6.gatewayingusingproxy">Gatewaying Using Proxy</a>
<tr><td class="sepr"><a href="#7.6.1.reverseproxy">7.6.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.6.1.reverseproxy">Reverse Proxy</a>
<tr><td class="sepr"><a href="#7.6.2.proxyrework">7.6.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.6.2.proxyrework">Proxy Rework</a>
<tr><td class="sepr"><a href="#7.6.3.oneshotproxy">7.6.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.6.3.oneshotproxy">One-Shot Proxy</a>
<tr><td class="sepr"><a href="#7.6.4.dnswildcardproxy">7.6.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.6.4.dnswildcardproxy">DNS Wildcard Proxy</a>
<tr><td class="sepr"><a href="#7.6.5.originatingssl">7.6.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.6.5.originatingssl">Originating SSL</a>
<tr><td class="sepr"><a href="#7.7.tunnelingusingproxy">7.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.tunnelingusingproxy">Tunneling Using Proxy</a>
<tr><td class="sepr"><a href="#7.7.1.serviceproxytunnelconnect">7.7.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.1.serviceproxytunnelconnect">[ServiceProxyTunnel] CONNECT</a>
<tr><td class="sepr"><a href="#7.7.2.serviceproxytunnelraw">7.7.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.2.serviceproxytunnelraw">[ServiceProxyTunnel] RAW</a>
<tr><td class="sepr"><a href="#7.7.3.serviceproxytunnelfirewall">7.7.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.3.serviceproxytunnelfirewall">[ServiceProxyTunnel] FIREWALL</a>
<tr><td class="sepr"><a href="#7.7.4.encryptedtunnel">7.7.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.4.encryptedtunnel">Encrypted Tunnel</a>
<tr><td class="sepr"><a href="#7.7.5.encryptedtunnelwithauthentication">7.7.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.5.encryptedtunnelwithauthentication">Encrypted Tunnel With Authentication</a>
<tr><td class="sepr"><a href="#7.7.6.sharedsshtunnel">7.7.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.6.sharedsshtunnel">Shared SSH Tunnel</a>
<tr><td class="sepr"><a href="#7.7.7.complexprivatetunneling">7.7.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.7.complexprivatetunneling">Complex Private Tunneling</a>
<tr><td class="sepr"><a href="#7.7.8.tunnellingsource">7.7.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.7.8.tunnellingsource">Tunnelling Source</a>
<tr><td class="sepr"><a href="#7.8.browserproxyconfiguration">7.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.8.browserproxyconfiguration">Browser Proxy Configuration</a>
<tr><td class="sepr"><a href="#7.8.1.manual">7.8.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.8.1.manual">Manual</a>
<tr><td class="sepr"><a href="#7.8.2.automatic">7.8.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#7.8.2.automatic">Automatic</a>
<tr><td class="sepr"><a href="#8.instancesandenvironments">8.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#8.instancesandenvironments">Instances and Environments</a>
<tr><td class="sepr"><a href="#8.1.serverinstances">8.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#8.1.serverinstances">Server Instances</a>
<tr><td class="sepr"><a href="#8.1.1.vmsclusteringcomparison">8.1.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#8.1.1.vmsclusteringcomparison">VMS Clustering Comparison</a>
<tr><td class="sepr"><a href="#8.1.2.considerations">8.1.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#8.1.2.considerations">Considerations</a>
<tr><td class="sepr"><a href="#8.1.3.configuration">8.1.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#8.1.3.configuration">Configuration</a>
<tr><td class="sepr"><a href="#8.1.4.status">8.1.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#8.1.4.status">Status</a>
<tr><td class="sepr"><a href="#8.2.serverenvironments">8.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#8.2.serverenvironments">Server Environments</a>
<tr><td class="sepr"><a href="#9.serveradministration">9.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#9.serveradministration">Server Administration</a>
<tr><td class="sepr"><a href="#9.1.accessbeforeconfiguration">9.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.1.accessbeforeconfiguration">Access Before Configuration</a>
<tr><td class="sepr"><a href="#9.2.accessconfiguration">9.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.2.accessconfiguration">Access Configuration</a>
<tr><td class="sepr"><a href="#9.3.serverinstances">9.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.3.serverinstances">Server Instances</a>
<tr><td class="sepr"><a href="#9.4.httpdserverreports">9.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.4.httpdserverreports">HTTPd Server Reports</a>
<tr><td class="sepr"><a href="#9.5.httpdserverrevise">9.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.5.httpdserverrevise">HTTPd Server Revise</a>
<tr><td class="sepr"><a href="#9.6.httpdserveraction">9.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.6.httpdserveraction">HTTPd Server Action</a>
<tr><td class="sepr"><a href="#9.7.httpdcommandline">9.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.httpdcommandline">HTTPd Command Line</a>
<tr><td class="sepr"><a href="#9.7.1.accounting">9.7.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.1.accounting">Accounting</a>
<tr><td class="sepr"><a href="#9.7.2.alignmentfaults">9.7.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.2.alignmentfaults">Alignment Faults</a>
<tr><td class="sepr"><a href="#9.7.3.authentication">9.7.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.3.authentication">Authentication</a>
<tr><td class="sepr"><a href="#9.7.4.cache">9.7.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.4.cache">Cache</a>
<tr><td class="sepr"><a href="#9.7.5.configurationcheck">9.7.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.5.configurationcheck">Configuration Check</a>
<tr><td class="sepr"><a href="#9.7.6.dclscriptingprocesses">9.7.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.6.dclscriptingprocesses">DCL/Scripting Processes</a>
<tr><td class="sepr"><a href="#9.7.7.decnetscriptingconnections">9.7.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.7.decnetscriptingconnections">DECnet Scripting Connections</a>
<tr><td class="sepr"><a href="#9.7.8.hhelppp">9.7.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.8.hhelppp">Hhelppp!</a>
<tr><td class="sepr"><a href="#9.7.9.http2connection">9.7.9</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.9.http2connection">HTTP/2 Connection</a>
<tr><td class="sepr"><a href="#9.7.10.instances">9.7.10</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.10.instances">Instances</a>
<tr><td class="sepr"><a href="#9.7.11.instancestatus">9.7.11</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.11.instancestatus">Instance Status</a>
<tr><td class="sepr"><a href="#9.7.12.logging">9.7.12</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.12.logging">Logging</a>
<tr><td class="sepr"><a href="#9.7.13.mapping">9.7.13</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.13.mapping">Mapping</a>
<tr><td class="sepr"><a href="#9.7.14.networkconnection">9.7.14</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.14.networkconnection">Network Connection</a>
<tr><td class="sepr"><a href="#9.7.15.shutdownandrestart">9.7.15</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.15.shutdownandrestart">Shutdown and Restart</a>
<tr><td class="sepr"><a href="#9.7.16.securesocketslayer">9.7.16</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.16.securesocketslayer">Secure Sockets Layer</a>
<tr><td class="sepr"><a href="#9.7.17.throttle">9.7.17</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.17.throttle">Throttle</a>
<tr><td class="sepr"><a href="#9.7.18.websocket">9.7.18</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#9.7.18.websocket">WebSocket</a>
<tr><td class="sepr"><a href="#10.watchfacility">10.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#10.watchfacility">WATCH Facility</a>
<tr><td class="sepr"><a href="#10.1.serverinstances">10.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#10.1.serverinstances">Server Instances</a>
<tr><td class="sepr"><a href="#10.2.eventcategories">10.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#10.2.eventcategories">Event Categories</a>
<tr><td class="sepr"><a href="#10.3.requestfiltering">10.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#10.3.requestfiltering">Request Filtering</a>
<tr><td class="sepr"><a href="#10.4.reportformat">10.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#10.4.reportformat">Report Format</a>
<tr><td class="sepr"><a href="#10.5.usagesuggestions">10.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#10.5.usagesuggestions">Usage Suggestions</a>
<tr><td class="sepr"><a href="#10.6.commandlineuse">10.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#10.6.commandlineuse">Command-Line Use</a>
<tr><td class="sepr"><a href="#11.serverperformance">11.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#11.serverperformance">Server Performance</a>
<tr><td class="sepr"><a href="#11.1.simplefilerequestturnaround">11.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#11.1.simplefilerequestturnaround">Simple File Request Turn-Around</a>
<tr><td class="sepr"><a href="#11.2.scripting">11.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#11.2.scripting">Scripting</a>
<tr><td class="sepr"><a href="#12.httpdwebupdate">12.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#12.httpdwebupdate">HTTPd Web Update</a>
<tr><td class="sepr"><a href="#13.utilitiesandfacilities">13.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#13.utilitiesandfacilities">Utilities and Facilities</a>
<tr><td class="sepr"><a href="#13.1.echofacility">13.1</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.1.echofacility">Echo Facility</a>
<tr><td class="sepr"><a href="#13.2.hissfacility">13.2</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.2.hissfacility">Hiss Facility</a>
<tr><td class="sepr"><a href="#13.3.streamfacility">13.3</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.3.streamfacility">Stream Facility</a>
<tr><td class="sepr"><a href="#13.4.wherefacility">13.4</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.4.wherefacility">Where Facility</a>
<tr><td class="sepr"><a href="#13.5.xrayfacility">13.5</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.5.xrayfacility">Xray Facility</a>
<tr><td class="sepr"><a href="#13.6.calogs">13.6</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.6.calogs">CALogs</a>
<tr><td class="sepr"><a href="#13.7.cspreporter">13.7</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.7.cspreporter">CSPreport[er]</a>
<tr><td class="sepr"><a href="#13.8.htadmin">13.8</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.8.htadmin">HTAdmin</a>
<tr><td class="sepr"><a href="#13.9.httpdmonitor">13.9</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.9.httpdmonitor">HTTPd Monitor</a>
<tr><td class="sepr"><a href="#13.10.md5digest">13.10</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.10.md5digest">MD5digest</a>
<tr><td class="sepr"><a href="#13.11.qdlogstats">13.11</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.11.qdlogstats">QDLogStats</a>
<tr><td class="sepr"><a href="#13.12.sechanutility">13.12</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.12.sechanutility">SECHAN Utility</a>
<tr><td class="sepr"><a href="#13.13.streamlfutility">13.13</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.13.streamlfutility">StreamLF Utility</a>
<tr><td class="sepr"><a href="#13.14.wasteeutility">13.14</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.14.wasteeutility">WAStee Utility</a>
<tr><td class="sepr"><a href="#13.15.wotsuputility">13.15</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text"><a href="#13.15.wotsuputility">WOTSUP Utility</a>
<tr><td class="sepr"><a href="#14.index">14.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#14.index">Index</a>
<tr><td class="sepr"><a href="#15.attributionandacknowledgement">15.</a>&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;&hellip;<td class="text majr"><a href="#15.attributionandacknowledgement">Attribution and Acknowledgement</a>
</table>
</div>

<br>
<!-- source:0100_INTRO.WASDOC -->
<hr class="page">
<a id="1." href="#"></a>
<a id="1.introduction" href="#"></a>
<a id="introduction" href="#"></a>
<h1 class="head"><span class="numb">1.</span><span class="text">Introduction</span></h1>

<table class="TOC2table">
<tr><td><a href="#1.1.troubleshooting"><span class="numb">1.1</span><span class="text">Troubleshooting?</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#0.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#2.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> With the installation, update and detailed configuration of the WASD Web
Services package provided in 
<a class="link blank" target="_blank" href="../config/">WASD Web Services - Install and Config</a>
why have an introduction in this subsequent document?  After getting the basics
up and running (often the first thing we want to do) it's time to stop and
consider the tool and what we're trying to accomplish with it.  So this section
provides an overview of the package's design philosophy, history and
significant features and capabilities by topic.

<p> The document <span class="high bold">assumes</span> a basic understanding of Web technologies and uses
terms without explaining them (e.g. HTTP,   HTML, URL, CGI, SSI, etc.)   The
reader is refered to documents specifically on these topics. 

<a id="1.0.0.0.1" href="#"></a>
<a id="1.objectives" href="#"></a>
<a id="objectives" href="#"></a>
<h5 class="head"><span class="text">Objectives</span></h5>

<p> WASD Web Services originated from a 1993 decision by Wide Area Surveillance
Division (WASD) management (then High Frequency Radar Division, HFRD) to make
as much information as possible, both administrative and research, available
online to a burgeoning personal desktop workstation and PC environment (to use
the current term &hellip; an <span class="high italic">intranet</span>) using the then emerging Web
technologies. 

<p> It then became the objective of this author to make <span class="high italic">all</span> of our systems'
VMS-related resources available via HTTP and HTML, regardless of the underlying
data or storage format. An examination of the WASD package will show that this
objective is substantially achieved.

<a id="1.0.0.0.2" href="#"></a>
<a id="1.reasonsforyetanotherwebpackage" href="#"></a>
<a id="reasonsforyetanotherwebpackage" href="#"></a>
<h5 class="head"><span class="text">Reasons For Yet Another Web Package</span></h5>

<p> Reasons for developing (remember; back in 1994!) a local HTTP server were
few but compelling: 

<ul class="list">

<li class="item"> It was prefered to support this environment on a VMS platform;
at the time the most widely used and accessible environment within WASD. 

<li class="item"> At that time servers (and even then there were quite a few variations)
were largely Unix based, although it was being supported (to a greater or
lesses extent) across a  wide range of platforms.  Ports to VMS, if they
existed, were often in-progress or half-baked, employing <span class="high italic">Unix</span>isms that
don't translate elegantly to the VMS environment. 

<li class="item"> The VMS version of the CERN server (3.0-6) was evaluated during
mid-1994:

<ul class="list">

<li class="item"> It was (still is) not multi-threaded under VMS (i.e. cannot support
concurrent clients).  For example, a lengthy search may delay other clients
for  unacceptable periods. 

<li class="item"> The performance was good with document transfers, but became poor when 
running a <span class="high italic">script</span>. 

<li class="item"> It is acknowleged in the release notes that it cannot handle a client 
cancelling a data transfer (a not-uncommon action).  This was confirmed 
experimentally.

</ul>

<li class="item"> An early version of the OSU server was evaluated via documentation
mid-1994.  The author considered that the DECthreads of the time to have
limitations (including frequent, show-stopping bugs) and OSU had a number of
implementation idiosyncracies (e.g. DECnet based scripting).

<li class="item"> HTTP, in the then standard implementation (HTTP/1.0, RFC1945), was
relatively simple to implement to the level required to support
intra-Divisional requirements.

<li class="item"> Since that time &hellip;

<ul class="list">

<li class="item"> <span class="high bold">As of December 1995</span> the server has worked extremely  well and has a
number of facilities tailored for the VMS environment.  It can  continue to be
utilized until there are overwhelming reasons for implementing  something else.

<li class="item"> <span class="high bold">June 1997</span> the server and associated software continues to evolve and
provide a stable and effective VMS Web environment, even with the advent of a
small number of commercial VMS Web products.

<li class="item"> <span class="high bold">October 1999</span> the package is beginning to mature as an HTTP/1.0
solution, providing not only a fast and stable server but an increasingly
extensive collection of applications and tools.

<li class="item"> <span class="high bold">July 2002</span> it continues to be refined and extended.  A greater
emphasis on &quot;commercial&quot; functionality has occured over the past couple of
years.

<li class="item"> <span class="high bold">December 2004</span> it now complies with the HTTP/1.1 specification
(RFC2616) and provides a very respectable range of functionality and the
fastest and most efficient serving environment for VMS.

<li class="item"> <span class="high bold">A decade on (2014)</span> it continues to be adopted by sites wanting fast,
efficient, capable and often philosophically VMS infrastructure. WASD continues
to be enhanced and bug-fixed <span class="high under">two decades</span> after its initial, tentative steps
into the World-Wide information Web.

<li class="item"> <span class="high bold">May 2016</span> brings HTTP/2 (RFC 7540, RFC 7541) to WASD. A replacement
for how HTTP is expressed &quot;on the wire&quot;, it is not a ground-up rewrite of the
protocol; HTTP methods, status codes and semantics are the same.  The focus of
the protocol is on performance; specifically, end-user perceived latency,
network and server resource usage.

<li class="item"> <span class="high bold">June 2019</span> occasions WASD's twenty-fifth anniversary!
<br> <span class="high bold">For a quarter-century and more &ndash; the only web environment implemented
expressly for VMS</span>.

<li class="item"> <span class="high bold">Late 2021</span> ta-da! WASD on x86-64

</ul>

</ul>

<a id="1.1" href="#"></a>
<a id="1.1.troubleshooting" href="#"></a>
<a id="troubleshooting" href="#"></a>
<h2 class="head"><span class="numb">1.1</span><span class="text">Troubleshooting?</span></h2>

<p> When initially installing or configuring WASD, and sometimes later where
something breaks spectacularly, it is most useful to be able to gain insight
into what the server is up to.

<p> The <span class="high italic">go-to</span> tool is&nbsp;  <span style="font-size:110%">WATCH</span>&nbsp; 
(yes, all capitals, and for no other reason than it makes it stand out).

<p> WATCH is described in detail in <a class="link" href="#10.watchfacility">10. WATCH Facility</a> of this document.

<p> For most circumstances WATCH can be made available for troubleshooting even
if the configuration is significantly broken.  This is done by using a
skeleton-key to authorise special access into the server.

<p> The skeleton-key is described in detail in
<a class="link" href="#3.12.skeletonkeyauthentication">3.12 Skeleton-Key Authentication</a>, also in this document.

<p> <span class="high bold">TL;DR</span>

<p> Enable at the command-line with the username anything beginning with an
underscore and at least 8 characters, same for the password length.

<div class="blockof code">&dollar; HTTPD /DO=AUTH=SKELKEY=_<span class="high italic">username</span>:<span class="high italic">password</span>
</div>

<p> Then using a browser access any available service, entering the above
username (including underscore) and password when prompted.

<div class="blockof block"><a class="link blank" target="_blank" href="/httpd/-/admin/report/WATCH">https://<i>the.host.name:port</i>&thinsp;/httpd/-/admin/report/WATCH</a>
</div>

<p> The service administration facilities (of which WATCH is one) are also
available and useful.

<div class="blockof block"><a class="link blank" target="_blank" href="/httpd/-/admin/">https://<i>the.host.name:port</i>&thinsp;/httpd/-/admin/</a>
</div>
<!-- source:0200_OVERVIEW.WASDOC -->
<hr class="page">
<a id="2." href="#"></a>
<a id="2.packageoverview" href="#"></a>
<a id="packageoverview" href="#"></a>
<h1 class="head"><span class="numb">2.</span><span class="text">Package Overview</span></h1>

<table class="TOC2table">
<tr><td><a href="#2.1.serverbehaviour"><span class="numb">2.1</span><span class="text">Server Behaviour</span></a>
<tr><td><a href="#2.2.vmsversions"><span class="numb">2.2</span><span class="text">VMS Versions</span></a>
<tr><td><a href="#2.3.tcpippackages"><span class="numb">2.3</span><span class="text">TCP/IP Packages</span></a>
<tr><td><a href="#2.4.internationalfeatures"><span class="numb">2.4</span><span class="text">International Features</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#1.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#3.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> The most fundamental component of the WASD VMS Web Services  environment is
the HTTP server (HyperText Transport Protocol Daemon, or HTTPd).  WASD has a
single-process, multi-threaded, asynchronous I/O design.

<p> The following bullet-points summarise the features and facilities, many of
which are described in significant detail in following chapters.

<a id="2.0.0.0.1" href="#"></a>
<a id="2.general" href="#"></a>
<a id="general" href="#"></a>
<h5 class="head"><span class="text">General</span></h5>

<ul class="list list0">
<li class="item"> concurrent, multi-threaded client support 
<li class="item"> HTTP/2 compliant (RFC 7540, RFC 7541) 
<li class="item"> HTTP/1.1 compliant (RFC 2616, RFC 7230 and family) 
<li class="item"> HTTP/1.0 compliant (RFC 1954) 
<li class="item"> WebDAV 1,2 support (RFC 4918) 
<li class="item"> Cross-Origin Resource Sharing (CORS) 
<li class="item"> virtual services (servers) 
<li class="item"> IPv4 and IPv6 support (requires underlying TCP/IP support) 
<li class="item"> requests above a configurable limit can be queued (&quot;throttling&quot;) 
<li class="item"> enhanced privacy using Transport Layer Security technology (TLS), aka. Secure
Sockets Layer (SSL) including
<p> <ul class="list list0">
<li class="item"> OpenSSL Toolkit
<li class="item"> WASD OpenSSL
<li class="item"> VSI SSL product
</ul>
<li class="item"> serves ODS-2 and ODS-5 (EFS) volumes, as well as file names encoded
using schemas
<p> <ul class="list list0">
<li class="item"> PATHWORKS 4/5
<li class="item"> Advanced Server (PATHWORKS 6) and
<li class="item"> SRI (MultiNet NFS, etc.)
</ul>
<li class="item"> versatile directory listing (generic and VMS-style) 
<li class="item"> Server-Side Includes (SSI HTML pre-processing) 
<li class="item"> configurable cache, with time-based and forced revalidation (reload) 
<li class="item"> byte-range support with 206 partial responses (useful for PDF and 
restarting file download by modern browsers)
<li class="item"> proxy serving, with local file-system caching, plus the CONNECT method
(also allowing a number of esoteric SSL tunnelling configurations), along with
FTP proxy 
<li class="item"> gatewaying between Web protocols (HTTP-to-SSL, SSL-to-HTTP, HTTP-to-FTP) 
<li class="item"> gatewaying between IP protocols (IPv4-to-IPv6, IPv6-to-IPv4) 
</ul>
 
<a id="2.0.0.0.2" href="#"></a>
<a id="2.scripting" href="#"></a>
<a id="scripting" href="#"></a>
<h5 class="head"><span class="text">Scripting</span></h5>

<ul class="list list0">

<li class="item"> CGI 1.1 compliant scripting (RFC 3875) 
<li class="item"> non-server and user account scripting 
<li class="item"> &quot;CGIplus&quot; scripting
(offering reduced latency, increased throughput and reduced system impact) 
<li class="item"> &quot;Persistent&quot; scripting,
Run-Time Environments (RTEs) that provide for simple persistent scripting 
<li class="item"> WebSocket scripting environment; a capability introduced with HTML5,
providing an asynchronous, bidirectional, full-duplex connection. 
<li class="item"> &quot;RawSocket&quot; scripting environment; providing an protocol-agnostic
asynchronous, bidirectional, full-duplex connection. 
<li class="item"> &quot;ISAPI&quot; extensions/scripting
(also offering reduced latency, increased throughput and reduced system impact) 
<li class="item"> DECnet-based CGI scripting (with connection reuse) 
<li class="item"> OSU (DECthreads server) scripting emulation, with connection reuse
(as per OSU 3.3a), allowing many OSU scripts to be employed unmodified 
<li class="item"> script processor (e.g. PERL, PHP, Python) configurable on file type (suffix) 
<li class="item"> configurable, automatic, MIME content-type initiated scripting
(&quot;presentation&quot; scripting)

</ul>

<a id="2.0.0.0.3" href="#"></a>
<a id="2.accesscontrol" href="#"></a>
<a id="accesscontrol" href="#"></a>
<h5 class="head"><span class="text">Access Control</span></h5>

<ul class="list list0">
<li class="item"> host-level, on per-host or per-domain 
<li class="item"> &quot;Basic&quot; and &quot;Digest&quot; user authentication and path/group-based authorization  
<li class="item"> WASD-specific user databases 
<li class="item"> SYSUAF-authentication and VMS user security profile based file access control 
<li class="item"> ACME service authentication (on applicable platforms) 
<li class="item"> X.509 client certificate authentication (for SSL transactions) 
<li class="item"> RFC 1413 (<span class="high italic">ident</span> daemon) &quot;authentication&quot; 
<li class="item"> Example LDAP authenticators 
</ul>

<a id="2.0.0.0.4" href="#"></a>
<a id="2.administration" href="#"></a>
<a id="administration" href="#"></a>
<h5 class="head"><span class="text">Administration</span></h5>

<ul class="list list0">

<li class="item"> multiple <span class="high italic">instances</span> (server processes) executing on the one system allow
continuous availability via rolling restarts and &quot;fail-through&quot; processing 
<li class="item"> &quot;one-button&quot; control of multiple <span class="high italic">instances</span> on both single systems and
across clusters 
<li class="item"> online server configuration, including reports on requests, loaded
configuration, mapping rules, authorization information and graphical activity
displays 
<li class="item"> online, live server processing event report (WATCH) 
<li class="item"> Web-standard, &quot;common&quot; and &quot;combined&quot; access log formats (allowing
processing by most log-analysis tools), along with a user-definition capability
allowing custom log formats 
<li class="item"> logging periods, where log files automatically change on a daily,
weekly or monthly basis (keeps log files ordered and at a managable size) 
<li class="item"> customizable message database (capable of supporting non-English and
concurrent, multiple languages)
</ul>
 
<a id="2.1" href="#"></a>
<a id="2.1.serverbehaviour" href="#"></a>
<a id="serverbehaviour" href="#"></a>
<h2 class="head"><span class="numb">2.1</span><span class="text">Server Behaviour</span></h2>

<p> The technical aspects of server design and behaviour are described in
<a class="link blank" target="_blank" href="/wasd_root/src/httpd/readmore.txt">WASD_ROOT:[SRC.HTTPD]READMORE.TXT</a>

<a id="2.2" href="#"></a>
<a id="2.2.vmsversions" href="#"></a>
<a id="vmsversions" href="#"></a>
<h2 class="head"><span class="numb">2.2</span><span class="text">VMS Versions</span></h2>

<p> The WASD server is supported on any VMS version from V7.0 upwards, on Alpha,
Itanium and x86-64 architectures.  The current version (as of 2021), V8.4
Alpha and Itanium, as is commonly the case on VMS platforms, required nothing
more than relinking.  Obviously no guarantees can be made for yet-to-be-released
versions but at a worst-case these should only require the same.

<p> The WASD distribution and package organisation fully supports
mixed-architecture clusters (Alpha, Itanium and/or x86-64 in the one cluster)
as one integrated installation.

<a id="2.3" href="#"></a>
<a id="2.3.tcpippackages" href="#"></a>
<a id="tcpippackages" href="#"></a>
<h2 class="head"><span class="numb">2.3</span><span class="text">TCP/IP Packages</span></h2>

<p> The WASD server uses the TCP/IP Services (UCX) BG &dollar;QIO interface. 
The following packages support this interface and may be used.

<ul class="list list0">
<li class="item"> VSI TCP/IP Services for OpenVMS (VMS Software Inc.) 
<li class="item"> TCP/IP Services for OpenVMS (Hewlett Packard <span class="high italic">whatever</span>) &ast;&ast; 
<li class="item"> Digital TCP/IP Services for OpenVMS (aka UCX) &ast;&ast;&ast; 
<li class="item"> MultiNet for OpenVMS (Process Software Corporation) &ast;&ast;
<p> &ast;&ast; any <span class="high bold">not unreasonably ancient</span> version 
<br>&ast;&ast;&ast; <span class="high italic">this might be becoming a bit of a stretch</span> 
</ul>

<p> To deploy IPv6 services this package must support IPv6.

<a id="2.4" href="#"></a>
<a id="2.4.internationalfeatures" href="#"></a>
<a id="internationalfeatures" href="#"></a>
<h2 class="head"><span class="numb">2.4</span><span class="text">International Features</span></h2>

<p> WASD provides a number of features that assist in the support of non-English
and multi-language sites.  These &quot;international&quot; features only apply to the
server, not necessarily to any scripts!

<ul class="list">

<li class="item"> <span class="high bold">Language Variants</span>

<p> A directory may contain language-specific variants of a basic document. 
When requesting the basic document name these variants are automatically and
transparently provided as the response if one matches preferences expresses in
the request's &quot;Accept-Language:&quot; request header field.  Both text and non-text
documents (e.g. images) may be provided using this mechanism.

<p> Configuration information is provided in section
<a class="link blank" target="_blank" href="../config/#languagevariants">Language Variants</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<li class="item"> <span class="high bold">Character Sets</span>

<p> Generally the default character set for documents on the Web is ISO-8859-1
(Latin-1). The server allows the specification of any character set as a
default for text document responses (plain and HTML).  In addition, text
document file types may be modified or additional ones specified that have a
different character set associated with that type. Furthermore, specific
character sets may be associated with mapping paths.  A site can therefore
relatively easily support multiple character set document resources.

<p> In addition the server may be configured to dynamically convert one
character set to another during request processing.  This is supported using
the VMS standard NCS character set conversion library.

<p> For further information see [CharsetDefault], [CharsetConvert] and
[AddType] in <a class="link blank" target="_blank" href="../config/#alphabeticlisting">Alphabetic Listing</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<li class="item"> <span class="high bold">Server Messages</span>

<p> The server uses an administrator-customizable database of messages that
can contain multiple language instances of some or all messages, using the
Latin-1 character set (ISO8859-1). Although the base English messages can be
completely changed and/or translated to provide any message text required or
desired, a more convenient approach is to supplement this base set with a
language-specific one.

<p> One language is designated the prefered language. This would most commonly
be the language appropriate to the geographical location and/or clientele of
the server. Another language is designated the base language. This must have a
complete set of messages and is a fall-back for any messages not configured
for the additional language. Of course this base language would most commonly
be the original English version.

<p> More than just two languages can be supported. If the browser has
<span class="high italic">prefered languages</span> set the server will attempt to match a message
with a language in this preference list. If not, then the server-prefered and
then the base language message would be issued, in that order. In this way it
would be possible to simultaneously provide for English, French, German and
Swedish audiences, just for example.

<p> For message configuration information see
<a class="link blank" target="_blank" href="../config/#messageconfiguration">Message Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<li class="item"> <span class="high bold">Server Dates</span>

<p> Dates appearing in server-generated, non-administrative content (e.g.
directory listings, not META-tags, which use Web-standard time formats) will
use the natural language specified by any SYS&dollar;LANGUAGE environment in use on
the system or specifically created for the server.

<li class="item"> <span class="high bold">Virtual Services</span>

<p> Virtual-server-associated mapping, authorization and character-sets allow
for easy multiple language and environment sites.  Further per-request
tailoring may be deployed using conditional rule mapping described below.
Single server can support multi-homed (host name) and multiple port services.

<p> For virtual services information see
<a class="link blank" target="_blank" href="../config/#configurationconsiderations">Configuration Considerations</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<li class="item"> <span class="high bold">Conditional Rule Mapping</span>

<p> Mapping rules map requested URL paths to physical or other paths (see
<a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

Conditional rules are only applied if the  request matches criteria such as
prefered language, host address (hence geographical location to a certain
extent), etc.  This allows requests for generic documents (e.g. home pages) to
be mapped to language versions appropriate to the above criteria.

<p> For conditional mapping information see
<a class="link blank" target="_blank" href="../config/#conditionalconfiguration">Conditional Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

</ul>

<!-- source:0300_AUTHORIZATION.WASDOC -->
<hr class="page">
<a id="3." href="#"></a>
<a id="3.authenticationandauthorization" href="#"></a>
<a id="authenticationandauthorization" href="#"></a>
<h1 class="head"><span class="numb">3.</span><span class="text">Authentication and Authorization</span></h1>

<div class="TOC2cols2">
<table class="TOC2table">
<tr><td><a href="#3.1.ruleinterpretation"><span class="numb">3.1</span><span class="text">Rule Interpretation</span></a>
<tr><td><a href="#3.2.authenticationpolicy"><span class="numb">3.2</span><span class="text">Authentication Policy</span></a>
<tr><td><a href="#3.3.permissionspathanduser"><span class="numb">3.3</span><span class="text">Permissions, Path and User</span></a>
<tr><td><a href="#3.4.authorizationconfigurationfile"><span class="numb">3.4</span><span class="text">Authorization Configuration File</span></a>
<tr><td><a href="#3.5.authenticationsources"><span class="numb">3.5</span><span class="text">Authentication Sources</span></a>
<tr><td><a href="#3.6.realmfullaccessreadonly"><span class="numb">3.6</span><span class="text">Realm, Full-Access, Read-Only</span></a>
<tr><td><a href="#3.7.virtualservers"><span class="numb">3.7</span><span class="text">Virtual Servers</span></a>
<tr><td><a href="#3.8.authorizationconfigurationexamples"><span class="numb">3.8</span><span class="text">Authorization Configuration Examples</span></a>
<tr><td><a href="#3.8.1.kiss"><span class="numb">3.8.1</span><span class="text">KISS</span></a>
<tr><td><a href="#3.9.authorizationcache"><span class="numb">3.9</span><span class="text">Authorization Cache</span></a>
<tr><td><a href="#3.10.sysuafauthenticatedusers"><span class="numb">3.10</span><span class="text">SYSUAF-Authenticated Users</span></a>
<tr><td><a href="#3.10.1.acme"><span class="numb">3.10.1</span><span class="text">ACME</span></a>
<tr><td><a href="#3.10.2.logontype"><span class="numb">3.10.2</span><span class="text">Logon Type</span></a>
<tr><td><a href="#3.10.3.rightsidentifiers"><span class="numb">3.10.3</span><span class="text">Rights Identifiers</span></a>
<tr><td><a href="#3.10.4.wasdquothardwiredquotidentifiers"><span class="numb">3.10.4</span><span class="text">WASD &quot;Hard-Wired&quot; Identifiers</span></a>
<tr><td><a href="#3.10.5.vmsaccountproxying"><span class="numb">3.10.5</span><span class="text">VMS Account Proxying</span></a>
<tr><td><a href="#3.10.6.nilaccessvmsaccounts"><span class="numb">3.10.6</span><span class="text">Nil-Access VMS Accounts</span></a>
<tr><td><a href="#3.10.7.sysuafandssl"><span class="numb">3.10.7</span><span class="text">SYSUAF and SSL</span></a>
<tr><td><a href="#3.10.8.sysuafsecurityprofile"><span class="numb">3.10.8</span><span class="text">SYSUAF Security Profile</span></a>
<tr><td><a href="#3.10.9.sysuafprofileforfullsiteaccess"><span class="numb">3.10.9</span><span class="text">SYSUAF Profile For Full Site Access</span></a>
<tr><td><a href="#3.11.tokenauthentication"><span class="numb">3.11</span><span class="text">Token Authentication</span></a>
<tr><td><a href="#3.12.skeletonkeyauthentication"><span class="numb">3.12</span><span class="text">Skeleton-Key Authentication</span></a>
<tr><td><a href="#3.13.controllingserverwriteaccess"><span class="numb">3.13</span><span class="text">Controlling Server Write Access</span></a>
<tr><td><a href="#3.14.securingallrequests"><span class="numb">3.14</span><span class="text">Securing All Requests</span></a>
<tr><td><a href="#3.15.userpasswordmodification"><span class="numb">3.15</span><span class="text">User Password Modification</span></a>
<tr><td><a href="#3.16.cancellingauthorization"><span class="numb">3.16</span><span class="text">Cancelling Authorization</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#2.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#4.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> <span class="high bold">Authentication</span> is the verification of a user's identity, usually through
username/password credentials. <span class="high bold">Authorization</span> is allowing a certain action
to be applied to a particular path based on authentication of the originator.

<p> Generally, authorization is a two step process. First authentication,
using a username/password database. Second authorization, determining what
the username is allowed to do for this transaction.

<p> Basic authorization was discussed in
<a class="link blank" target="_blank" href="../config/#authorizationconfigurationbasics">Authorization Configuration (Basics)</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.
This section discusses all the aspects of WASD authentication and authorization.

<a id="3.0.0.0.1" href="#"></a>
<a id="3.overview" href="#"></a>
<a id="overview" href="#"></a>
<h5 class="head"><span class="text">Overview</span></h5>

<p> By default, the logical name <span class="high bold">WASD_CONFIG_AUTH</span> locates a common
authorization rule file.  Simple editing of the file and reloading into the
running server changes the processing rules.

<p> Server authorization is performed using a configuration file, authentication
source, and optional full-access and read-only authorization grouping sources,
and is based on per-path directives. There is no user-configured authorization
necessary, or possible! In the configuration file paths are associated with the
authentication and authorization environments, and so become subject to the
HTTPd authorization mechanism. Reiterating &hellip; WASD HTTPd authorization
administration involves those two aspects, setting authorization against paths
and administering the authentication and authorization sources.

<p> <span class="high bold">Authorization is applied to the request path (i.e. the path in the URL
used by the client).  Sometimes it is possible to access the same resource
using different paths.  Where this can occur care must be exercised to
authorize all possible paths.</span>

<p> <span class="high bold">Where a request will result in script activation, authorization
is performed on both script and path components</span>. First script access is
checked for any authorization, then the path component is independently
authorized. Either may result in an authorization challenge/failure.  This
behaviour can be disabled using a path SETting rule, see
<a class="link blank" target="_blank" href="../config/#setrule">SET Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<p> The <span class="high bold">authentication source</span> name is refered to as the <span class="high italic">realm</span>, and
refers to a collection of usernames and passwords.  It can be the system's
SYSUAF database.

<p> The <span class="high bold">authorization source</span> is refered to as the <span class="high italic">group</span>, and commonly
refers to a collection of usernames and associated <span class="high italic">permissions</span>.

<a id="3.1" href="#"></a>
<a id="3.1.ruleinterpretation" href="#"></a>
<a id="ruleinterpretation" href="#"></a>
<h2 class="head"><span class="numb">3.1</span><span class="text">Rule Interpretation</span></h2>

<p> The configuration file rules are scanned from first towards last, until a
matching rule is encountered (or end-of-file).  Generally a rule has a trailing
wildcard to indicate that all sub-paths are subject to the same authorization
requirements.

<a id="3.1.0.0.1" href="#"></a>
<a id="3.1.stringmatching" href="#"></a>
<a id="stringmatching" href="#"></a>
<h5 class="head"><span class="text">String Matching</span></h5>

<p> Rule matching is string pattern matching, comparing
the request specified path, and optionally other components of the request when
using configuration conditionals
<a class="link blank" target="_blank" href="../config/#conditionalconfiguration">Conditional Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>,
to a series of patterns, until one of the patterns matches, at which stage
the authorization characteristics are applied to the request and authentication
processing is undertaken.  If a matching pattern (rule) is not found the path is
considered not to be subject to authorization.  Both wildcard and regular
expression based pattern matching is available
<a class="link blank" target="_blank" href="../config/#stringmatching">String Matching</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<a id="3.2" href="#"></a>
<a id="3.2.authenticationpolicy" href="#"></a>
<a id="authenticationpolicy" href="#"></a>
<h2 class="head"><span class="numb">3.2</span><span class="text">Authentication Policy</span></h2>

<p> A <span class="high italic">policy</span> regarding when and how authorization can be used may be
established on a per-server basis. This can restrict authentication challenges
to &quot;https:&quot; (SSL) requests (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>), thereby ensuring
that the authorization environment is not compromised by use in non-encrypted
transactions. Two server qualifiers provide this.

<ul class="list">

<li class="item"> <span class="high bold">/AUTHORIZE=</span>

<ul class="list">

<li class="item"> <span class="high bold">ALL</span> restricts <span class="high bold">all</span> requests to authorized paths.  If a path does
not have authorization configured  against it it is automatically denied
access.  This is an effective method of preventing inadvertant access to areas
in a site (<a class="link" href="#3.14.securingallrequests">3.14 Securing All Requests</a>).

<li class="item"> <span class="high bold">SSL</span> restricts <span class="high bold">all</span>
authentication/authorization transactions to the SSL environment.

<li class="item"> <span class="high bold">SSL,ALL)</span> combines the above two.

</ul>

<li class="item"> <span class="high bold">/SYSUAF=</span>

<ul class="list">

<li class="item"> Used without any keywords, this qualifier allows all current (non-expired,
non-disusered, etc.), non-privileged accounts to be used for authentication
purposes. 

<li class="item"> <span class="high bold">ID</span> restricts SYSUAF authenticated account to those possessing a
specific VMS resource identifier
(<a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a>). 

<li class="item"> <span class="high bold">PROXY</span> allows non-SYSUAF to SYSUAF username proxying
(<a class="link" href="#3.10.5.vmsaccountproxying">3.10.5 VMS Account Proxying</a>).

<li class="item"> <span class="high bold">RELAXED</span> allows <span class="high bold">any</span> current account to
be authorized via the SYSUAF.  <span class="high bold">This is not recommended</span>, use rights
identifiers to allow some discrimination to be exercised.

<li class="item"> <span class="high bold">SSL</span> restricts only SYSUAF authenticated transactions to the SSL
environment.

<li class="item"> <span class="high bold">VMS</span> allows a combination of all current (non-expired,
non-disusered, etc.), non-privileged accounts to be used for authentication
purposes (the /SYSUAF without keywords behaviour), with the behaviours provided
by the ID keyword. 

<li class="item"> <span class="high bold">WASD</span> enables the deprecated, &quot;hard-wired&quot; WASD
identifier environment available to this server. See
<a class="link" href="#3.10.4.wasdquothardwiredquotidentifiers">3.10.4 WASD &quot;Hard-Wired&quot; Identifiers</a>.

<li class="item"> <span class="high bold">(VMS,ID,SSL)</span> would allow these multiple keywords to be applied, etc.

</ul>

</ul>

<p> Note also that individual paths may be restricted to SSL requests using
either the mapping conditional rule configuration or the authorization
configuration files. See
<a class="link blank" target="_blank" href="../config/#conditionalmapping">Conditional Mapping</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<p> In addition, the following configuration parameters have a direct role in
an established authorization policy.

<ul class="list">

<li class="item"> <span class="high bold">[AuthFailureLimit]
[AuthFailurePeriod]
[AuthFailureTimeout]</span>
provide a similar break-in detection and evasion as with VMS. These three
directives parallel the functions of SYSGEN parameters LGI_BRK_LIM,
LGI_BRK_TMO, LGI_HID_TIM. A single authentication failure marks the particular
username in the particular realm as suspect.  Repeated failures up to
[AuthFailureLimit] attempts within the [AuthFailurePeriod] period puts it into
break-in evasion mode after which the period [AuthFailureTimeout] must expire
before further attempts have authentication performed and so have any chance to
succeed. (This is a change in behaviour to versions earlier than 8.3.)  If any
of the above three parameters are not specified they default to the
corresponding SYSGEN parameter.

<li class="item"> <span class="high bold">[AuthRevalidateLoginCookie]</span> When user revalidation is in effect (see
immediately below), after having  previously closed the browser initial
authentication of a resource is immediately followed by another if a cached
entry on the server indicated revalidation was required.  This prevents this
second request.  Requires that browser cookies be enabled.

<li class="item"> <span class="high bold">[AuthRevalidateUserMinutes]</span> sets the number of minutes between
successive authentication attempts before the user is forced to reenter the
authentication data (via a browser dialog).  Zero disables this function. When
enabling this feature is is inevitable that [AuthRevalidateLoginCookie] will
need to be enabled as well (described immediately above).  This is used to
suppress an unavoidable second username/password prompt from the browser. 

<div class="note">
<a id="3.2.0.0.1" href="#"></a>
<a id="3.2.authenticationcacheandrevalidation" href="#"></a>
<a id="authenticationcacheandrevalidation" href="#"></a>
<h5 class="head center"><span class="text">Authentication Cache and Revalidation</span></h5>
<hr class="note_hr">
User revalidation relies on an entry being maintained in the authentication
cache.  Each time the entry is flushed, for whatever reason (cache congestion,
command-line purge, server restart, etc.), the user will be prompted for
credentials.  It may be necessary to increase the size of the cache by
adjusting [AuthCacheEntriesMax] when this facility is enabled.
<hr class="note_hr">
</div>

</ul>

<a id="3.2.0.0.2" href="#"></a>
<a id="3.2.authenticationfailures" href="#"></a>
<a id="authenticationfailures" href="#"></a>
<h5 class="head"><span class="text">Authentication Failures</span></h5>

<p> Details of authentication failures are logged to the server process log. 

<ul class="list">

<li class="item"> <span class="high bold">HTTPD-W-AUTHFAIL</span> indicates a failure to authenticate (incorrect
username/password).  The number of failures, the realm name, the user name and
the originating host are provided. Isolated instances of this are only of
moderate interest.  Consecutive instances may indicate a user thrashing about
for the correct password, but they usually give up before a dozen attempts.

<li class="item"> <span class="high bold">HTTPD-I-AUTHFAILOK</span> advises that a previous failure to
authenticate has now successfully done so.  This is essentially informational.

<li class="item"> <span class="high bold">HTTPD-W-AUTHFAILIM</span> indicates the number of failures have exceeded
the [AuthFailureLimit], after which automatic refusal begins.  This message
should be of concern and the circumstances investigated, especially if the
number of attempts becomes excessive.

</ul>

<p> Failures may also be directed to the OPCOM facility
<a class="link blank" target="_blank" href="../config/#opcomlogging">OPCOM Logging</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<a id="3.3" href="#"></a>
<a id="3.3.permissionspathanduser" href="#"></a>
<a id="permissionspathanduser" href="#"></a>
<h2 class="head"><span class="numb">3.3</span><span class="text">Permissions, Path and User</span></h2>

<p> <span class="high bold">Both paths and usernames have permissions associated with them.</span>  A path
may be specified as read-only, read and write, write-only (yes, I'm sure
someone will want this!), or none (permission to do nothing). A username may be
specified as read capable, read and write capable, or only write capable.  For
each transaction these two are combined to determine the maximum level of
access allowed. The allowed action is the logical AND of the path and username
permissions.

<p> The permissions may be described using the HTTP method names, or using the
more concise abbreviations R, W, and R+W.

<a id="3.3.0.0.1" href="#"></a>
<a id="3.3.httpmethods" href="#"></a>
<a id="httpmethods" href="#"></a>
<h5 class="head"><span class="text">HTTP Methods</span></h5>

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Path/User
<th class="tabh">DELETE
<th class="tabh">GET
<th class="tabh">HEAD
<th class="tabh">POST
<th class="tabh">PROPFIND
<th class="tabh">PUT
<th class="tabh">WebDAV
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">READ or R
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">no
<tr class="tabr">
<td class="tabd">WRITE or W
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">yes
<tr class="tabr backlight">
<td class="tabd">R+W
<td class="tabd">yes
<td class="tabd">yes
<td class="tabd">yes
<td class="tabd">yes
<td class="tabd">yes
<td class="tabd">yes
<td class="tabd">yes
<tr class="tabr">
<td class="tabd">NONE
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<tr class="tabr backlight">
<tr class="tabr backlight">
<td class="tabd">DELETE
<td class="tabd">yes
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<tr class="tabr">
<td class="tabd">GET
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<tr class="tabr backlight">
<td class="tabd">HEAD
<td class="tabd">no
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<tr class="tabr">
<td class="tabd">POST
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<tr class="tabr backlight">
<td class="tabd">PROPFIND
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">no
<tr class="tabr">
<td class="tabd">PUT
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">yes
<td class="tabd">no
<tr class="tabr backlight">
<td class="tabd">Other WebDAV
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">no
<td class="tabd">yes
</table>

<a id="3.4" href="#"></a>
<a id="3.4.authorizationconfigurationfile" href="#"></a>
<a id="authorizationconfigurationfile" href="#"></a>
<h2 class="head"><span class="numb">3.4</span><span class="text">Authorization Configuration File</span></h2>

<p> Requiring a particular path to be authorized in the HTTP transaction is
accomplished by applying authorization requirements against that path in a
configuration file.  This is an activity distinct from setting up and
maintaining any authentication/authorization databases required for the
environment.

<p> By default, the system-table logical name <span class="high bold">WASD_CONFIG_AUTH</span>
locates a common authorization configuration file, unless an individual rule
file is specified using a job-table logical name.  Simple editing of the file
changes the configuration. Comment lines may be included by prefixing them with
the hash &quot;#&quot; character, and lines continued by placing the backslash
character &quot;\&quot; as the last character on a line.

<p> The [IncludeFile] is a directive common to all WASD configuration, allowing
a separate file to be included as a part of the current configuration.  (see
<a class="link blank" target="_blank" href="../config/#includefiledirective">Include File Directive</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<p> Configuration directives begin either with a &quot;[realm]&quot;, &quot;[realm;group]&quot; or
&quot;[realm;group-r+w;group-r]&quot; specification, with the forward-slash of a path
specification, or with a &quot;[AuthProxy]&quot; or &quot;[AuthProxyFile]&quot; introducing a proxy
mapping.  Following the path specification are HTTP method keywords controlling
group and world permissions to the path, and any <span class="high bold">access-restricting</span> request
scheme (&quot;https:&quot;) and/or host address(es) and/or username(s).

<ul class="list">

<li class="item"> <span class="high bold">REALM</span>

<p> Square brackets are used to enclose a [realm;group;group] specification,
introducing a new authentication grouping.  Within  these brackets is specified
the realm name (authentication source), and then optional group (authorization
source) names separated by semi-colons. All path specifications following this
are authenticated against the specified realm database, and permissions
obtained from the group &quot;[realm;group]&quot; database (or authentication database if
group not specified), until the next [realm;group;group] specification.

<p> The following shows the format of an authentication source (realm) only
directive.

<div class="blockof code">[authentication-source]
</div>

<p> This one, the format of a directive using both authentication and
authorization sources (both realm and group).

<div class="blockof code">[authentication-source ; authorization-source]
</div>

<p> The third variation, using an authentication, full-access (read and write)
and read-only authorization sources (realm and two grouping).

<div class="blockof code">[authentication-source ; full-access-source ; read-only-source]
</div>

<p> The authentication source may also be given a description.  This is the
text the browser dialog presents during password prompting.  See 
<a class="link" href="#3.5.realmdescription">&lsquo;Realm Description&rsquo; in 3.5 Authentication Sources</a>.

<li class="item"> <span class="high bold">PATH</span>

<p> Paths are usually specified terminated with an asterisk wildcard. This
implies that any directory tree below this is included  in the access control.
Wildcards may be used to match any portion of the specified path, or not at
all. Following the path specification are control keywords representing the
HTTP methods or permissions that can be applied against the path, and optional
access-restricting list of host address(es) and/or username(s), separated using
commas. Access control is against either or both the group and the world. The
group access is specified first followed by a semi-colon separated world
specification. The following show the format of the path directive, see the
examples below to further clarify the format.

<div class="blockof code">/root/path/  group-access-list,group-permissions ; \
             world-access-list,world-permissions
</div>

<li class="item"> <span class="high bold">PROXY</span>

<p> The [AuthProxy] and [AuthProxyFile] directives introduces one or more
SYSUAF proxy mappings (<a class="link" href="#3.10.5.vmsaccountproxying">3.10.5 VMS Account Proxying</a>).

</ul>

<p> <span class="high bold">The same path cannot be specified against two different realms for the
same virtual service.</span> The reason lies in the HTTP authentication schema,
which allows for only one realm in an authentication dialog.  How would the
server decide which realm to use in the authentication challenge?  Of course,
different parts of a given tree may have different authorizations, however any
tree ending in an asterisk results in the entire sub-tree being controlled by
the specified authorization environment, unless a separate specification exists
for some inferior portion of the tree.

<p> There is a thirty-one character limit on authentication source names.

<a id="3.4.0.0.1" href="#"></a>
<a id="3.4.reservednames" href="#"></a>
<a id="reservednames" href="#"></a>
<h5 class="head"><span class="text">Reserved Names</span></h5>

<p> The following realm names are reserved and have special functionality.

<ul class="list">

<li class="item"> <span class="high bold">EXTERNAL &ndash; </span> Any authentication and authorization will be done in
some way by an external CGI script.  None is attempted by the server.  The
server does pre-processs the supplied &quot;Authorization:&quot; field however and
ensures that any request against a path with this realm supplies authorization
credentials before any further request processing (script activation) occurs.

<li class="item"> <span class="high bold">NONE &ndash; </span> This refers to any request, is not authenticated
in a any way, and just marks the path as having been authorized for access
(<a class="link" href="#3.14.securingallrequests">3.14 Securing All Requests</a>).

<li class="item"> <span class="high bold">OPAQUE &ndash; </span> Allows a script generating its own
challenge/response and doing all its own &quot;Authorization:&quot; field processing (a
little like EXTERNAL but the server does absolutely nothing).

<li class="item"> <span class="high bold">PROMISCUOUS &ndash; </span> This realm is only available while the
/PROMISCUOUS qualifier is in use (<a class="link" href="#9.serveradministration">9. Server Administration</a>).

<li class="item"> <span class="high bold">RFC1413 &ndash; </span> This IETF document describes an identification protocol
that can be used as a form of <span class="high italic">authentication</span> within this realm.

<li class="item"> <span class="high bold">TOKEN &ndash; </span> A <span class="high italic">token</span> is a short-lived, cookie delivered,
representation of authentication established in another context.

<li class="item"> <span class="high bold">WORLD &ndash; </span> This refers to any request and is not authenticated in any
way, only the permissions associated with the path are applied to the request. 
The reserved username &quot;WORLD&quot; becomes the  authenticated username.

<li class="item"> <span class="high bold">VMS &ndash; </span> Use the server system's SYSUAF database to authenticate the
username. For &quot;http:&quot; requests the username/password pairs are transmitted
encoded but not encrypted, <span class="high bold" style="color:red;">so this is not recommended</span>.  For
&quot;https:&quot; requests, using the implicit security offered by SSL (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) the use of SYSUAF authentication is considered viable.

<p> By default accounts with SYSPRV authorized are always rejected to discourage
the use of potentially significant usernames (e.g. SYSTEM). Accounts that are
disusered, have passwords that have expired, or that are captive or restricted
are also automatically rejected.

<p> The authentication source may be disguised by giving it a specific
description.  This will the text the browser dialog presents during password
prompting.  See <a class="link" href="#3.5.realmdescription">&lsquo;Realm Description&rsquo; in 3.5 Authentication Sources</a>.

<p> See <a class="link" href="#3.10.sysuafauthenticatedusers">3.10 SYSUAF-Authenticated Users</a> for further information on these
topics. 

<li class="item"> <span class="high bold">X509 - </span> Uses X.509 v3 certificates (browser client certificates) to
establish identity (authentication) and based on that identity control access
to server resources (authorization).  This is only available for SSL
transactions.  See <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a> for further information on
SSL, and <a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a> on X509 realm
authorization.

</ul>

<a id="3.4.0.0.2" href="#"></a>
<a id="3.4.reservedusername" href="#"></a>
<a id="reservedusername" href="#"></a>
<h5 class="head"><span class="text">Reserved Username</span></h5>

<p> The following username is reserved.

<ul class="list">

<li class="item"> <span class="high bold">WORLD &ndash; </span> If a path is authorized using the WORLD realm the
pseudo-authenticated username becomes &quot;WORLD&quot;.  Any log will reflect this 
username and scripts will access a WWW_REMOTE_USER containing this value. 
Although not forbidden, it is not recommended this string be used as a username
in other realms.

</ul>

<a id="3.4.0.0.3" href="#"></a>
<a id="3.4.accessrestrictionkeywords" href="#"></a>
<a id="accessrestrictionkeywords" href="#"></a>
<h5 class="head"><span class="text">Access Restriction Keywords</span></h5>

<p> If a host name, protocol identifier or username is included in the path
configuration directive it acts to <span class="high bold">further</span> limit access to matching clients
(path and username permissions still apply). If more than one are included a
request must match each. If multiple host names and/or usernames are included
the client must match at least one of each. Host and username strings may
contains the asterisk wildcard, matching one or more consecutive characters.
This is most useful when restricting access to all hosts within a given domain,
etc. In addition a VMS security profile may be associated with the request.

<ul class="list">

<li class="item"> <span class="high bold">Host Names &ndash; </span> may be specified as either alphabetic (if DNS name
resolution is enabled, see [DNSlookup] configuration directive) or literal
addresses. When a host restriction occurs there is never an attempt to
authenticate any associated username. Hence applying host restrictions very
effectively prevents an attack from outside the allowed addresses. The reserved
word <span class="high italic display0">localhost</span> refers to the host name the server is executing on.

<li class="item"> <span class="high bold">Network Mask &ndash; </span> The mask is a dotted-decimal network
address, a slash, then a dotted-decimal mask or VLSM (variable-length subnet
mask).  A network mask operates by bitwise-ANDing the client host address with
the mask, bitwise-ANDing the network address supplied with the mask, then
comparing the two results for equality.

<li class="item"> <span class="high bold">Request Scheme &ndash; </span> (protocol) either &quot;http:&quot; or secured via &quot;https:&quot;
(SSL)

<li class="item"> <span class="high bold">User Names &ndash; </span> are indicated by a leading tilde, the &quot;~&quot; character
(similar or username URL syntax).

<li class="item"> <span class="high bold">Profile &ndash; </span> a SYSUAF-authenticated username can have its VMS security
profile associated with the request.  When applied to a path this profile is
used to determine access to the file system.  The WASD_CONFIG_AUTH
configuration file can have the keyword &quot;profile&quot; added to the restriction list
(<a class="link" href="#3.10.8.sysuafsecurityprofile">3.10.8 SYSUAF Security Profile</a>).  In a manner-of-speaking this keyword lifts
a restriction.

</ul>

For example

<div class="blockof code">/web/secret/* *.three.stooges,~Moe,~Larry,~Curly,read
</div>

restricts read access to Curly, Larry and Moe accessing from within the
three.stooges network, while

<div class="blockof code">/web/secret/* https:,*.three.stooges,~Moe,~Larry,~Curly,read
</div>

applies the further restriction of access via &quot;https:&quot; (SSL) only.

<p> These examples show the use of a network mask to restrict based on the
source network of the client.  The first, four octets supplied as a mask.  The
second a VLSM used to specify the length of the network component of the
address.

<div class="blockof code">/web/secret/* https:,#131.185.250.128/255.255.255.192,~Moe,~Larry,~Curly,read

/web/secret/* https:,#131.185.250.128/26,~Moe,~Larry,~Curly,read
</div>

<p> These examples both specify a 6 bit subnet.  With the above examples the
host 131.185.250.250 would be accepted, but 131.185.250.50 would be rejected.

<p> Note that it more efficient to place <span class="high italic">protocol</span> and <span class="high italic">host</span> restrictions at
the front of a list.

<a id="3.5" href="#"></a>
<a id="3.5.authenticationsources" href="#"></a>
<a id="authenticationsources" href="#"></a>
<h2 class="head"><span class="numb">3.5</span><span class="text">Authentication Sources</span></h2>

<p> Authentication credentials may be validated against one of several sources,
each with different characteristics.

<ul class="list">

<li class="item"> <span class="high bold">VMS Rights Identifier</span>

<p> An identifier is indicated by appending a &quot;=ID&quot; to the name of the
realm or group.  Also refer to <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a>.

<p> Whether or not any particular username is allowed to authenticate via the
SYSUAF may be controlled by that account holding or not holding a particular
rights identifier. Placing &quot;=ID&quot; against realm name implies the username
must exist in the SYSUAF and hold the specified identifier name.

<div class="blockof code">[PROJECT_A=id]
</div>

<p> When (and only when) a username has been authenticated via the SYSUAF,
rights identifiers associated with that account may be used to control the
level-of-access within that realm.  This is in addition to any identifier
controlling authentication itself.

<div class="blockof code">[PROJECT_A=id;PROJECT_A_LIBRARIAN=id;PROJECT_A_USER=id]
</div>

<p> In this example a username would need to hold the PROJECT_A identifier to
be able to authenticate, PROJECT_A_LIBRARIAN to write the path(s) (via POST,
PUT) and PROJECT_A_USER to be able to read the path(s).

<li class="item"> <span class="high bold">VMS Authentication</span>

<p> The server system SYSUAF may be used to authenticate usernames using the VMS
account name and password.  The realm being VMS may be indicated by using the
name &quot;VMS&quot;, by appending &quot;=VMS&quot; to another name making it a <span class="high italic">VMS synonym</span>, or
by giving it a specific description
( in
).  Further information on SYSUAF
authentication may be found in . These
examples illustrate the general idea. 

<div class="blockof code">[VMS]
[LOCAL=vms]
[ANY_NAME_AT_ALL=vms]
</div>

<li class="item"> <span class="high bold">ACME</span>

<p> Three Authentication and Credential Management Extension (ACME) agents are
currently available (as at VMS V8.3 and WASD v9.3), &quot;VMS&quot;  (SYSUAF), &quot;MSV1_0&quot;
(Microsoft domain authentication used by Advanced Server) and an LDAP kit. 
There is also an API that will allow local or third-party agents to be
developed.  WASD ACME authentication is completely asynchronous and so agents
that make network or other relatively latent queries will not add granularity
into server processing.  By default ACME is used to authenticate requests
against the SYSUAF on Alpha and Itanium running VMS V7.3 or later
(<a class="link" href="#3.10.1.acme">3.10.1 ACME</a>).

<p> For authorization rules explicitly specifying ACME the Domain Of
Interpretation (DOI) becomes the realm name, interposed between the relam
description and the ACME authentication source keyword.  In this first example
the DOI is VMS and so all WASD SYSUAF authentication capabilities are
available.

<div class="blockof code">[&quot;ACME Coyote&quot;=VMS=ACME;JIN_PROJECT=id]
/a/path/* r+w,https:
</div>

<p> In the second example authentication is performed using the same
credentials as Advanced Server running on the local system.

<div class="blockof code">[&quot;PC Users&quot;=MSV1_0=ACME]
/a/nuther/path/* r+w,https:
</div>

<p> In this final example the DOI is a third-party agent.

<div class="blockof code">[&quot;More ACME&quot;=THIRD-PARTY=ACME]
/a/different/path/* r+w,https:
</div>

<li class="item"> <span class="high bold">Simple List</span>

<p> A plain-text list may be used to provide usernames for group membership. 
The format is one username per line, at the start of the line, with optional,
white-space delimited text continuing along the line (which could be used as
documentation).  Blank lines and comment lines are ignored.  A line may be
continued by ending it with a &quot;\&quot; character.  These files may, of course, be
created and maintained using any plain text editor.  They must exist in the
WASD_AUTH: directory, have an extension of &quot;.&dollar;HTL&quot;, and do not need to be world
accessible.

<div class="blockof code"># the stooges
curley     Jerome Horwitz
larry      Louis Feinberg
moe        Moses Horwitz
shemp      Samuel Horwitz
JoeBesser
JoeDeRita
</div>

<p> Simple lists are indicated in the configuration by appending a
&quot;=LIST&quot; to the name.

<div class="blockof code">[VMS;STOOGES=list]
</div>

<p> It also possible to use a simple list for authentication purposes.  The
plain-text password is appended to the username with a trailing equate symbol.
Although in general this is not recommended as everything is stored as
plain-text it may be suitable as an ad hoc solution in some circumstances. The
following example shows the format.

<div class="blockof code"># silly example
fred=dancesalittle  Guess who?
ginger=rogers       No second prizes!
</div>

<li class="item"> <span class="high bold">HTA Database</span>

<p> These are binary, fixed 512 byte record files, containing authentication
and authorization information.  HTA databases may be used for authentication
and group membership purposes.  The content is much the same, the role differs
according to the location in the realm directive.  These databases may be
administered using the online Server Administration facility (<a class="link" href="#9.5.httpdserverrevise">9.5 HTTPd Server Revise</a>) or the HTAdmin command-line utility (<a class="link" href="#13.8.htadmin">13.8 HTAdmin</a>). They
are located in the WASD_AUTH: directory and have an extension of &quot;.&dollar;HTA&quot;.

<p> (Essentially for historical reasons) HTA databases are the default sources
for authorization information.  Therefore, using just a name, with no trailing
&quot;=<span class="high italic">something</span>&quot;, will configure an HTA source.  Also, and recommended for
clearly showing the intention, appending the &quot;=HTA&quot; qualifier specifies an HTA
database.  The following example show some of the variations.

<div class="blockof code">[VMS;PROJECT_A=hta]
[DEVELOPERS=hta;PROJECT_A=hta]
</div>

<li class="item"> <span class="high bold">X.509 Client Certificate</span>

<p> Uses X.509 v3 certificates (browser client certificates) to establish
identity (authentication) and based on that identity control access to server
resources (authorization).  This is only available for SSL transactions.  See
<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a> for further information on SSL, and
<a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a> on X509 realm authorization.

<li class="item"> <span class="high bold">RFC1413 Indentification Protocol</span>

<p> From RFC1413 (M. St.Johns, 1993) &hellip;

<div class="blockof quote"> The Identification Protocol (a.k.a., &quot;ident&quot;, a.k.a., &quot;the Ident
Protocol&quot;)  provides a means to determine the identity of a user of a
particular TCP connection.  Given a TCP port number pair, it returns a
character string which identifies the owner of that connection on the server's
system.
</div>

and &hellip;

<div class="blockof quote">The information returned by this protocol is at most as trustworthy as the host
providing it OR the organization operating the host.  For example, a PC in an
open lab has few if any controls on it to prevent a user from having this
protocol return any identifier the user wants.  Likewise, if the host has been
compromised the information returned may be completely erroneous and
misleading.


<p> The Identification Protocol is not intended as an authorization or access
control protocol.  At best, it provides some additional auditing information
with respect to TCP connections.  At worst, it can provide misleading,
incorrect, or maliciously incorrect information.
</div>

<p> Nevertheless, RFC1413 may be useful for some purposes in some heterogeneous
environments, and so has been made available for <span class="high italic">authentication</span>
purposes.

<div class="blockof code">[RFC1413]
[&quot;Descriptions can be used!&quot;=RFC1413;A_PROJECT=list]
</div>

<p> The RFC1413 realm generates no browser username/password dialog.  It relies
on the system supporting the client to return a reliable identification of the
user accessing the HTTP server by looking-up the user of the server
connection's peer port.

<li class="item"> <span class="high bold">Authorization Agent</span>

<p> An authorization agent is a CGI-compliant CGIplus script that is specially
activated during the authorization processing.  Using CGI environment variables
it gets details of the request, makes an assessment based on its own internal
authentication/authorization processing, and using the script <span class="high italic">callout</span>
mechanism returns the results to the server, which then acting on these, allows
or denies access.

<p> Such agents allow a site to develop local authentication/authorization
mechnisms relatively easily, based on CGI principles.  A discussion of such a
development is not within the scope of this section, see the
<a class="link blank" target="_blank" href="../scripting/scripting.html">WASD Web Services - Scripting</a> document for information
on the use of callouts, and the example and working authorization agents
provided in the <a class="link blank" target="_blank" href="/wasd_root/src/agent/*.*">WASD_ROOT:[SRC.AGENT]</a>
directory. The description at the beginning of these programs covers these
topics in some detail.

<p> An authorization agent would be configured using something like the
following, where the &quot;AUTHAGENT&quot; is the actual script name doing the
authorization.  This has the the path &quot;/cgiauth-bin/&quot; prepended to it.

<div class="blockof code">[&quot;Example Agent&quot;=AUTHAGENT_EXAMPLE=agent]
/some/path/or/other/* r+w
</div>

<p> It is possible to supply additional, per-path information to an agent. 
This can be any free-form text (up to a maximum length of 63 characters).  This
might be a configuration file location, as used in the example CEL
authenticator.  For example

<div class="blockof code">[&quot;CEL Authenticator&quot;=AUTHAGENT_CEL=agent]
/some/path/or/other/* r+w,param=WASD_ROOT:[LOCAL]CEL1.LIS
/a/nother/path/* r+w,param=WASD_ROOT:[LOCAL]CEL2.LIS
</div>

<p> Generally authorization agent scripts use 401/WWW-Authorize: transactions
to establish identity and credentials.  It is possible for an agent to
establish identity outside of this using mechanisms available only to itself. 
In this case it is necessary suppress the usually automatic generation of
username/password dialogs using a realm of <span class="high italic">agent+opaque</span>

<div class="blockof code">[AUTHAGENT_PAPI=agent+opaque]
/papi/path/or/other/* r+w
/a/nother/papi/path/* r+w
</div>

<p> An older mechanism required a leading parameter of &quot;/NO401&quot;.  It is
included here only for reference.  The <span class="high italic">agent+opaque</span> realm should
now always be used.

<div class="blockof code">[&quot;Another Authenticator&quot;=AUTHAGENT_ANOTHER=agent]
/some/path/or/other/* r+w,param=&quot;/NO401 MORE PARAMETERS CAN BE SUPPLIED&quot;
/a/nother/path/* r+w,param=&quot;/NO401 OTHER PARAMETERS CAN BE SUPPLIED&quot;
</div>

<p> It is necessary to have the following entry in the WASD_CONFIG_MAP
configuration file:

<div class="blockof code">exec+ /cgiauth-bin/* /cgi-bin/*
</div>

<p> This allows authentication scripts to be located outside of the general
server tree if desired.

<li class="item"> <span class="high bold">Token</span>

<p> A <span class="high italic">token</span> is a short-lived, cookie delivered, representation of
authentication established in another context.  Originally devised to allow
controlled access to very large datasets without the overhead of SSL in the
transmission but with access credentials supplied in the privacy of an SSL
connection.  The cookie contains NO CREDENTIAL data at all and the
authenticator manages an internal database of these so it can determine whether
any supplied token is valid and when that token has expired.  By default (and
commonly) token authorisation occurs in non-SSL space (http:) and the
credential authorisation in SSL space (https:).

<p> Token authorisation is described in <a class="link" href="#3.11.tokenauthentication">3.11 Token Authentication</a>).

<li class="item"> <span class="high bold">Host Group</span>

<p> Instead of a list of usernames contained in a database, a group within a
realm (either or both <span class="high italic">full-access-source</span> or
<span class="high italic">read-only-source</span>, see <a class="link" href="#3.4.authorizationconfigurationfile">3.4 Authorization Configuration File</a>) may be
specified as a host, group of hosts or network mask.  This acts to restrict all
requests from clients not matching the IP address specification.  Unlike the
per-path access restrict list (<a class="link" href="#3.4.accessrestrictionkeywords">&lsquo;Access Restriction Keywords&rsquo; in 3.4 Authorization Configuration File</a>) this
construct applies to all paths in the realm.  It also offers relative
efficiencies over restriction lists and lends itself to some environments based
on per-host identification (e.g. the RFC1413 realm).  Note that IP addresses
can be <span class="high italic">spoofed</span> (impersonated) so this form of access control should
be deployed with some caution.

<div class="blockof code">[RFC1413;131.185.250.*]
/path1/to/be/authorized/* r+w

[RFC1413;131.185.250.0/24]
/path2/to/be/authorized/* r+w

[RFC1413;131.185.250.0/255.255.255.0]
/path3/to/be/authorized/* r+w
</div>

<p> The examples of realm specifications above all act to restrict read-write
access via the RFC1413 realm to hosts within the 131.185.250.<span class="high italic">nnn</span> subnet.

<li class="item"> <span class="high bold">External</span>

<p> Generally the WASD model is for the server to perform authorisation
processing and so the password never becomes visible at the application level. 
For scripting environments performing their own authentication the server will
decode and parse the request &quot;Authorization:&quot; header for paths under the
EXTERNAL realm.  

<div class="blockof code">[EXTERNAL]
/some/path/or/other/* r+w
</div>

<p> The various authentication data are then provided in the CGI variables

<ul class="list simple list0">
<li class="item"> AUTH_TYPE
<li class="item"> AUTH_ACCESS
<li class="item"> AUTH_PASSWORD
<li class="item"> AUTH_REALM
<li class="item"> AUTH_REALM_DESCRIPTION
<li class="item"> HTTP_AUTHORIZATION
<li class="item"> REMOTE_USER
</ul>

<li class="item"> <span class="high bold">Opaque</span>

<p> If the script is performing its own authentication and authorisation using
the raw request header then the server needs to be advised of this by placing
the required paths under the OPAQUE realm.

<div class="blockof code">[OPAQUE]
/another/path/* r+w
</div>

<p> The server will then provide only the &quot;Authorization:&quot; header data
in the cgi variable HTTP_AUTHORIZATION from which the username and password may
processed.

</ul>

<a id="3.5.0.0.1" href="#"></a>
<a id="3.5.multiplesourcetypes" href="#"></a>
<a id="multiplesourcetypes" href="#"></a>
<h5 class="head"><span class="text">Multiple Source Types</span></h5>

<p> A realm directive may contain one or more different types of authorization
information source, with the following restrictions.

<ul class="list">

<li class="item"> Rights identifiers may only be used with SYSUAF authenticated requests. 
The following combinations would therefore not be allowed.

<div class="blockof code">[DEVELOPERS;PROJECT_A=id]
[DEVELOPERS=hta;LIBRARIAN=id;PROJECT_A=list]
[STOOGES=list;MOE_HOWARD=id]
</div>

<li class="item"> WASD rights identifiers (deprecated) may only be used for group
membership when the /AUTHORIZE=WASD server qualifier has been specified at
startup, and the username has been authenticated using a WASD identifier.  See
<a class="link" href="#3.10.4.wasdquothardwiredquotidentifiers">3.10.4 WASD &quot;Hard-Wired&quot; Identifiers</a>.

</ul>

<a id="3.5.0.0.2" href="#"></a>
<a id="3.5.realmdescription" href="#"></a>
<a id="realmdescription" href="#"></a>
<h5 class="head"><span class="text">Realm Description</span></h5>

<p> It is possible to supply text describing the authentication realm to the
browser user that differs from the actual source name.  This may be used to
disguise the  actual source or to provide a more informative description than
the source name conveys.

<p> Prefixing the actual realm source name with a double-quote delimited string
(of up to 31 characters) and an equate symbol will result in the string being
sent to a browser as the realm description during an authentication challenge. 
Here are some examples.

<div class="blockof code">[&quot;the local host&quot;=VMS]
[&quot;Social Club&quot;=SOCIAL_CLUB_RW=id]
[&quot;Finance Staff&quot;=FINANCE=list]
[&quot;Just Another Database&quot;=DBACCESS=hta]
</div>

<div class="note"><a id="3.5.0.0.2.1" href="#"></a>
<a id="3.5.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

The <span class="high italic">Digest</span> authentication scheme uses the realm description at both
server and browser in the encrypted password challenge and response.  When
passwords are stored in an HTA file this realm synonym cannot be changed
without causing these passwords to be rendered invalid.
<hr class="note_hr">
</div>

<a id="3.6" href="#"></a>
<a id="3.6.realmfullaccessreadonly" href="#"></a>
<a id="realmfullaccessreadonly" href="#"></a>
<h2 class="head"><span class="numb">3.6</span><span class="text">Realm, Full-Access, Read-Only</span></h2>

<p> WASD authorization offers a number of combinations of access control.  This
is a summary.  Please note that when refering to the <span class="high italic">level-of-access</span> a
particular username may be allowed (read-only or full, read-write  access),
that it is always moderated by the level-of-access provided with a path
configured within that realm.  See <a class="link" href="#3.3.permissionspathanduser">3.3 Permissions, Path and User</a>.

<ul class="list">

<li class="item"> <span class="high bold">Authentication Only</span>

<p> When a path is controlled by a realm that comprises an authentication
source only, as in this example

<div class="blockof code">[authentication-source]
</div>
 usernames authenticated using that are granted full (read and write)
access.

<li class="item"> <span class="high bold">Authentication and Group</span>

<p> Where a group membership source is provided following the authentication
source, as illustrated in this example

<div class="blockof code">[authentication-source;group-source]
</div>
 the level-of-access depends on the source of the group membership.  If
from a <span class="high italic">simple-list</span> of usernames or via a <span class="high italic">VMS rights
identifier</span> the username receives full (read and write) access.  If from an HTA
database the access is dependent on what is set against that user in the
database.  It can be either full or read-only.

<li class="item"> <span class="high bold">Authentication and Two Groups</span>

<p> When a second group is specified, as in

<div class="blockof code">[authentication-source;group-source;group-source]
</div>

the authentication is interpreted in a fixed fashion.  The first group
specified contains usernames to be granted full (read and write) access.  The
second group read-only access.  Should a username occur in both groups full
access takes precedence.

<p> The second group may be specified as an asterisk wildcard (&quot;*&quot;) which is 
interpreted as <span class="high italic">everyone else</span> (i.e. everyone else gets read-only access).

</ul>

<a id="3.7" href="#"></a>
<a id="3.7.virtualservers" href="#"></a>
<a id="virtualservers" href="#"></a>
<h2 class="head"><span class="numb">3.7</span><span class="text">Virtual Servers</span></h2>

<p> As described in
<a class="link blank" target="_blank" href="../config/#virtualservices">Virtual Services</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>,
virtual service syntax may be used with authorization mapping to selectively
apply rules to one specific service.  This example provides the essentials of
using this syntax.  Note that service-specific and service-common rules may be
mixed in any order allowing common authorization environments to be shared.

<div class="blockof code"># authorization rules example for virtual servers
[[alpha.example.com:443]]
# ALPHA SSL is the only service permitting VMS (SYSUAF) authentication
[LOCAL=vms]
/web/* https:,r+w ; r
/httpd/-/admin/* ~daniel,https:,r+w
[[beta.example.com:80]]
# BETA has its own HTA database
[BETA_USER=hta]
/web/* r+w ; r
[[gamma.example.com:80]]
# GAMMA likewise
[GAMMA_DEVELOPER=id;PROJECT-A=list]
/web/project/a/* r+w ; r
[GAMMA_DEVELOPER=id;PROJECT-B=list]
/web/project/b/* r+w ; r
[[*]]
# allow anyone from the local subnet to upload to here
[WORLD]
/web/unload/* 131.185.200.*,r+w
</div>

<p> The online Server Administration facility path authorization report
(<a class="link" href="#9.4.httpdserverreports">9.4 HTTPd Server Reports</a>) provides a selector allowing the viewing and
checking of rules showing all services or only one particular virtual server,
making it simpler to see exactly what any particular service is authorizing
against.

<a id="3.8" href="#"></a>
<a id="3.8.authorizationconfigurationexamples" href="#"></a>
<a id="authorizationconfigurationexamples" href="#"></a>
<h2 class="head"><span class="numb">3.8</span><span class="text">Authorization Configuration Examples</span></h2>

<p> Mixed case is used in the configuration examples (and should be in
configuration files) to assist in readability.  Rule interpretation however is
completely case-insensitive.

<ol class="list">

<li class="item"> In the following example the authentication realm is &quot;WASD&quot;, a
synonym for SYSUAF authentication, and the permissions group
&quot;SOCIALCLUB&quot;, a simple list of usernames.  The directive allows those
authenticated from the WASD realm and in the SOCIALCLUB group full access (read
and write), and the world read-only.

<div class="blockof code">[WASD=vms;SOCIALCLUB=list]
/web/socialclub/* r+w ; read
</div>

<li class="item"> This example illustrates restricting access according internet address.
Both the group and world restriction is identical, but the group address is
being specified numerically, while the world access is being specified
alphabetically (just for the purposes of illustration). This access check is
done doing simple wildcard comparison, and makes numerical specifications
potentially more efficient because they are usually shorter. The second line
restricts that path's write access even further, to one username,
&quot;BLOGGS&quot;.

<div class="blockof code">[WASD=vms;SOCIALCLUB=list]
/web/socialclub/* 131.185.45.*,get,post; *.example.com,get
/web/socialclub/accounts/* 131.185.45.*,~BLOGGS,get,post; *.example.com,get
</div>

<li class="item"> Three sources for authorization are specified in the following example. 
As the authentication source is VMS (by rights identifier), the full-access
group and read-only group can also be determined by possessing the specified
identifiers.  The first path can only be written to by those holding the
full-access identifier (librarian), the second path can only be read by both. 
The world has no access to these paths.

<div class="blockof code">[DEVELOPER=id;PROJECT_A_LIBRARIAN=id;PROJECT_A_USER=id]
/web/projects/a/*  r+w
/web/projects/*    r
</div>

<li class="item"> This example is the same as the one above, except in this case everyone
else (that can authenticate against the resource) gets read-only access to the
projects.

<div class="blockof code">[DEVELOPER=id;PROJECT_A_LIBRARIAN=id;*]
/web/projects/a/*  r+w
/web/projects/*    r
</div>

<li class="item"> In the following example the authentication realm and group are a single
HTA database, &quot;ADMIN&quot;. The first directive allows those in the ADMIN group to
read and write, and the world to read (&quot;get,post;get&quot;). The second line
restricts write and even read access to ADMIN group, no world access at all
(&quot;get,post&quot;).

<div class="blockof code">[ADMIN=hta]
/web/everyone/* get,post;get
/web/select/few/* get,post
</div>

<li class="item"> With this example usernames are used to control access to the specified
paths. These usernames are authenticated from the COMPANY database.  The world
has read access in both cases.  Note the realm description, &quot;The
Company&quot;.

<div class="blockof code">[&quot;The Company&quot;=COMPANY=hta]
/web/docs/* ~Howard,~George,~Fred,r+w ; r
/web/accounts/* ~George,r+w ; r
</div>

<li class="item"> The following example shows a path specifying the local system's SYSUAF
being used to authenticate any usernames. Whenever using SYSUAF authentication
it is <span class="high bold">strongly recommended to limit the potential hosts</span> that can
authenticate in this way by always using a host-limiting access restriction
list. The world gets read access.

<div class="blockof code">[VMS]
/web/local/area/* 131.185.250.*,r+w ; r
</div>

<li class="item"> To restrict server administration to browsers executing on the server
system itself and the SYSUAF-authenticated username DANIEL use a restriction
list similar to the following.  It also shows the use of SYSUAF-authentication
being hidden by using a realm description.

<div class="blockof code">[&quot;not the VMS SYSUAF&quot;=VMS]
/httpd/-/admin/*  #localhost,~daniel,r+w
</div>

<li class="item"> This example uses the RFC1413 <span class="high italic">identification protocol</span> as the
authentication source and a host group to control full access to paths in the
realm.

<div class="blockof code">[&quot;Ident Protocol&quot;=RFC1413;131.185.250.0/24]
/web/local/* r+w
</div>

<li class="item"> The following example illustrates providing a read and writable area
(GET, POST and PUTable) to hosts in the local network <span class="high bold">without username
authentication</span> (careful!).

<div class="blockof code">[WORLD]
/web/scratch/*  *.local.hosts.only,r+w
</div>

</ol>

<a id="3.8.1" href="#"></a>
<a id="3.8.1.kiss" href="#"></a>
<a id="kiss" href="#"></a>
<h3 class="head"><span class="numb">3.8.1</span><span class="text">KISS</span></h3>

<p> WASD authorization allows for very simple authorization environments and
provides the scope for quite complex ones.  The path authentication scheme
allows for multiple, individually-maintained authentication and authorization
databases that can then be administered by autonomous managers, applying to
widely diverse paths, all under the ultimate control of the overall Web
administrator.

<p> <span class="high bold">Fortunately great complexity is not generally necessary.</span>

<p> Most sites would be expected to require only an elementary setup allowing a
few selected Web information managers the ability to write to selected paths. 
This can best be provided with the one authentication database containing read
and write permissions against each user, with and access-restriction list
against individual paths.

<p> For example.  Consider a site with three departments, each of which wishes
to have three representatives capable of administering the departmental Web
information.  Authentication is via the SYSUAF.  Web administrators hold an
approriate VMS rights identifier, &quot;WEBADMIN&quot;.  Department groupings are
provided by three simple lists of names, including the Web administrators
(whose rights identifier would not be applied if access control is via a simple
list), a fourth lists those with read-only access into the Finance area.  The
four grouping files would look like:

<div class="blockof code"># Department 1            # Department 2
WEB1                      WEB1
WEB2                      WEB2
JOHN                      RINGO
PAUL                      CURLY
GEORGE                    LARRY

# Department 3            # Finance (read access)
WEB1                      PAUL
WEB2                      GEORGE
MOE                       JOHN
SHEMP                     RINGO
MAC
</div>

<p> The authorization configuration file then contains:

<div class="blockof code">#######################################################################

# allow web masters (!) to use the server administration facility
#                       to revise web configuration files
# world has no access (read or write)
# access is only allowed from a browser in the same subnet as the HTTPd
[&quot;Hypo Thetical Corp.&quot;=HYPOTHETICAL=vms;WEBADMIN=id]
/httpd/-/admin/*  #150.15.30.*,r+w
/wasd_root/local/*  #150.15.30.*,r+w

# allows Department 1 representatives to maintain their web
# this may only be done from within the company subnet
# world has read access
[&quot;Hypo Thetical Corp.&quot;=HYPOTHETICAL=vms;DEPARTMENT1=list]
/web/dept/general/*   150.15.30.*,r+w ; r

# and so on for the rest of the departments

[&quot;Hypo Thetical Corp.&quot;=HYPOTHETICAL=vms;DEPARTMENT2=list;FINANCE=list]
# no world read access into finance, only those in the FINANCE list
/web/dept/finance/*    150.15.30.*,r+w 

[&quot;Hypo Thetical Corp.&quot;=HYPOTHETICAL=vms;DEPARTMENT3=list]
/web/dept/inventory/*       150.15.30.*,r+w ; r
/web/dept/production/*      150.15.30.*,r+w ; r
# (the next uses line continuation just for illustration)
/web/dept/marketing/*       150.15.30.*,\
                            r+w ;\
                            read

# we need an area for general POSTing (just for illustration :-)
[WORLD]
/web/world/*  r+w 

#######################################################################
</div>

<a id="3.9" href="#"></a>
<a id="3.9.authorizationcache" href="#"></a>
<a id="authorizationcache" href="#"></a>
<h2 class="head"><span class="numb">3.9</span><span class="text">Authorization Cache</span></h2>

<p> Access to authentication sources, SYSUAF, simple lists and HTA databases,
are relatively expensive operations.  To reduce the impact of this activity on
request latency and general server performance, authentication and
realm-associated permissions for each authenticated username are stored in a
cache.  This means that only the initial request needs to be checked from
appropriate databases, subsequent ones are resolved more quickly and
efficiently from cache.

<p> Such cached entries have a finite lifetime associated with them.  This
ensures that authorization information associated with that user is regularly
refreshed.  This period, in minutes, is set using the [AuthCacheMinutes]
configuration parameter.  Zero disables caching with a consequent impact on
performance.

<a id="3.9.0.0.1" href="#"></a>
<a id="3.9.implication" href="#"></a>
<a id="implication" href="#"></a>
<h5 class="head"><span class="text">Implication</span></h5>

<p> Where-ever a cache is employed there arises the problem of keeping the
contents current.  The simple lifetime on entries in the authentication cache
means they will only be checked for currency whenever it expires.  Changes may
have occured to the databases in the meantime.

<p> Generally there is are other considerations when adding user access. 
Previously the user attempt failed (and was evaluated each time), now the user
is allowed access and the result is cached.

<p> When removing or modifying access for a user the cached contents must be
taken into account.  The user will continue to experience the previous level of
access until the cache lifetime expires on the entry.  When making such changes
it is recommended to explicitly purge the authentication cache either from the
command line using /DO=AUTH=PURGE (<a class="link" href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a>) or via the
Server Administration facility (<a class="link" href="#9.serveradministration">9. Server Administration</a>).  Of course the
other solution is just to disable caching, which is a less than optimal
solution.

<a id="3.10" href="#"></a>
<a id="3.10.sysuafauthenticatedusers" href="#"></a>
<a id="sysuafauthenticatedusers" href="#"></a>
<h2 class="head"><span class="numb">3.10</span><span class="text">SYSUAF-Authenticated Users</span></h2>

<p> The ability to authenticate using the system's SYSUAF is controlled by the
server /SYSUAF[=keyword] qualifier. By default it is disabled.

<div class="note center">
<a id="3.10.0.0.1" href="#"></a>
<a id="3.10.warning" href="#"></a>
<a id="warning" href="#"></a>
<h5 class="head center"><span class="text">WARNING!</span></h5>
<hr class="note_hr">
<span class="high bold">SYSUAF authentication is not recommended except in the most secure
of LAN environments or when SSL is employed.</span>
<br> HTTP credentials (username and password) are transmitted as encoded
plain-text making them vulnerable to evesdropping.
<hr class="note_hr">
</div>

<p> By default accounts with SYSPRV authorized are always rejected to discourage
the use of potentially significant usernames (e.g. SYSTEM). This behaviour can
be changed through the use of specific identifiers, see <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> immediately below. Accounts that are disusered, have passwords
that have expired or that are captive or restricted are always rejected. 
Accounts that have access day/time restricting access will have those
restrictions honoured (see <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> for a workaround for
this).

<p> Also see <a class="link" href="#3.10.6.nilaccessvmsaccounts">3.10.6 Nil-Access VMS Accounts</a>.

<a id="3.10.1" href="#"></a>
<a id="3.10.1.acme" href="#"></a>
<a id="acme" href="#"></a>
<h3 class="head"><span class="numb">3.10.1</span><span class="text">ACME</span></h3>

<p> By default the Authentication and Credential Management Extension (ACME) is
used to authenticate SYSUAF requests on Alpha and Itanium running VMS V7.3 or
later  (<a class="link" href="#3.5.authenticationsources">3.5 Authentication Sources</a>). The advantage of ACME is with the
processing of the (rather complex) authentication requirements by a
vendor-supplied implementation.  It also allows SYSUAF password change to be
made subject to the full site policy (password history, dictionary checking,
etc.) which WASD does not implement.

<div class="note center">
<a id="3.10.1.0.1" href="#"></a>
<a id="3.10.1.shouldacmebeunavailable" href="#"></a>
<a id="shouldacmebeunavailable" href="#"></a>
<h5 class="head center"><span class="text">Should ACME be unavailable</span></h5>
<hr class="note_hr">
for whatever reason (x86-64 EAK for example) then define the logical name
WASD_NO_ACME to force reversion to SYSUAF authentication.
<hr class="note_hr">
</div>

<a id="3.10.2" href="#"></a>
<a id="3.10.2.logontype" href="#"></a>
<a id="logontype" href="#"></a>
<h3 class="head"><span class="numb">3.10.2</span><span class="text">Logon Type</span></h3>

<p> By default SYSUAF authentication uses the NETWORK access restriction from
the account SYSUAF record.  Alternatives LOCAL, DIALUP and REMOTE may be
specified using global configuration directive

<div class="blockof code"># WASD_CONFIG_GLOBAL
[AuthSYSUAFlogonType]  REMOTE
</div>

and/or authorization rule parameter 'param=&quot;logon=REMOTE&quot;'

<div class="blockof code">[&quot;VMS Credentials&quot;=WASD_VMS_RW=ID]
/secured/* r+w,https,param=&quot;logon=REMOTE&quot;
</div>

(which takes precedence).

<a id="3.10.3" href="#"></a>
<a id="3.10.3.rightsidentifiers" href="#"></a>
<a id="rightsidentifiers" href="#"></a>
<h3 class="head"><span class="numb">3.10.3</span><span class="text">Rights Identifiers</span></h3>

<p> Whether or not any particular username is allowed to authenticate via the
SYSUAF may be controlled by that account holding or not holding a particular
VMS rights identifier. When a username has been authenticated via the SYSUAF,
rights identifiers associated with that account may be used to control the
level-of-access within that realm.

<p> Use of identifiers for these purposes are enabled using the /SYSUAF=ID
server startup qualifier.

<p> The first three reserved identifier names are optional.  A warning will be
reported during startup if these are not found.  The fourth must exist if
SYSUAF proxy mappings are used in a /SYSUAF=ID environment.

<ul class="list">

<li class="item"> <span class="high bold">WASD_HTTPS_ONLY &ndash; </span> restricts accounts holding it to authenticating
using SSL (https:).  Authentication via a standard &quot;http:&quot; will always be
denied.

<li class="item"> <span class="high bold">WASD_NIL_ACCESS &ndash; </span> allows accounts with access time restrictions to
authenticate via the SYSUAF.  This is particularly intended to support the use
of nil-access accounts, see <a class="link" href="#3.10.6.nilaccessvmsaccounts">3.10.6 Nil-Access VMS Accounts</a>.

<li class="item"> <span class="high bold">WASD_PASSWORD_CHANGE &ndash; </span> allows an account to modify its SYSUAF
password, if this is configured for the server, see <a class="link" href="#3.15.userpasswordmodification">3.15 User Password Modification</a>.

<li class="item"> <span class="high bold">WASD_PROXY_ACCESS &ndash; </span> allows an account to be used for proxy access if
/SYSUAF=ID is in effect, see <a class="link" href="#3.10.5.vmsaccountproxying">3.10.5 VMS Account Proxying</a>.

</ul>

<p> Identifiers may be managed using the following commands.  If unsure of the
security implications of this action consult the relevant VMS system management
security documentation.

<div class="blockof code">&dollar; SET DEFAULT SYS&dollar;SYSTEM
&dollar; MCR AUTHORIZE
UAF&gt; ADD /IDENTIFIER WASD_HTTPS_ONLY
UAF&gt; ADD /IDENTIFIER PROJECT_USER
UAF&gt; ADD /IDENTIFIER PROJECT_DEVELOPER
UAF&gt; ADD /IDENTIFIER PROJECT_LIBRARIAN
</div>

<p> They can then be provided to desired accounts using commands similar to the
following:

<div class="blockof code">UAF&gt; GRANT /IDENTIFIER PROJECT_USER &lt;account&gt;
</div>

and removed using:

<div class="blockof code">UAF&gt; REVOKE /IDENTIFIER PROJECT_USER &lt;account&gt;
</div>

<p> Be aware that, as with all successful authentications, and due to the WASD
internal authentication cache, changing database contents does not immediately
affect access.  Any change in the RIGHTSLIST won't be reflected until the cache
entry expires or it is explicitly flushed
().

<a id="3.10.4" href="#"></a>
<a id="3.10.4.wasdquothardwiredquotidentifiers" href="#"></a>
<a id="wasdquothardwiredquotidentifiers" href="#"></a>
<h3 class="head"><span class="numb">3.10.4</span><span class="text">WASD &quot;Hard-Wired&quot; Identifiers</span></h3>

<div class="note center">
<a id="3.10.4.0.1" href="#"></a>
<a id="3.10.4.deprecatedanddiscouraged" href="#"></a>
<a id="deprecatedanddiscouraged" href="#"></a>
<h5 class="head center"><span class="text">Deprecated and Discouraged</span></h5>
<hr class="note_hr">
As this has been deprecated for some years now the documentation for this
functionality has been removed.
<hr class="note_hr">
</div>

<a id="3.10.5" href="#"></a>
<a id="3.10.5.vmsaccountproxying" href="#"></a>
<a id="vmsaccountproxying" href="#"></a>
<h3 class="head"><span class="numb">3.10.5</span><span class="text">VMS Account Proxying</span></h3>
 
<p> Any authentication realm can have its usernames mapped into VMS usernames
and the VMS username used as if it had been authenticated from the SYSUAF.
This is a form of proxy access.

<div class="note">
<a id="3.10.5.0.1" href="#"></a>
<a id="3.10.5.caution" href="#"></a>
<a id="caution" href="#"></a>
<h5 class="head center"><span class="text">CAUTION</span></h5>
<hr class="note_hr">
This is an extremely powerful mechanism and as a consequence requires enabling
on the command-line at server startup using the /SYSUAF=PROXY qualifier and
keyword.  If identifiers are used to control SYSUAF authentication (i.e.
/SYSUAF=ID) then any account mapped by proxy access must hold the
WASD_PROXY_ACCESS identifier described in <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> (and
server startup would be something like &quot;/SYSUAF=(ID,PROXY)&quot;).
<hr class="note_hr">
</div>

<p> When a proxy mapping occurs request user authorization detail reflects the
SYSUAF username characteristics, not the actual original authentication source. 
This includes username, user details (i.e. becomes that derived from the
<span class="high italic">owner</span> field in the SYSUAF), constraints on the username access (e.g. SSL
only), and user capabilities including any profile if enabled.  Authorization
source detail remains unchanged, reflecting the realm, realm description and
group of the original source.  For CGI scripting an additional variable,
WWW_AUTH_REMOTE_USER, provides the original remote username.

<p> For each realm, and even for each path, a different collection of mappings
can be applied.  Proxy  entries are strings containing no white space.  There
are three basic variations, each with an optional host or network mask
component.

<ul class="list simple list0">
<li class="item"> remote[@host&verbar;@network/mask]=SYSUAF
<li class="item"> *[@host&verbar;@network/mask]=SYSUAF
<li class="item"> *[@host&verbar;@network/mask]=*
</ul>

<p> The &quot;SYSUAF&quot; is the VMS username being mapped to.  The <span class="high italic">remote</span>  is the
remote username (CGI variable WWW_REMOTE_USER).  The first variation maps a
matching  remote username (and optional host/network) onto the specific SYSUAF
username.  The second maps all remote usernames (and optional host/network) to
the one SYSUAF username (useful as a final mapping).  The third maps all remote
usernames (optionally on the remote host/network) into the same SYSUAF username
(again useful as a final mapping if there is a one-to-one equivalence between
the systems).

<p> Proxy mappings are processed sequentially from first to last until a
matching rule is encountered.  If none is found authorization is denied. 
Match-all and default mappings can be specified.

<div class="blockof code">[RFC1413]
[AuthProxy] bloggs@131.185.250.1=fred
[AuthProxy] doe@131.185.250.*=john system=- *@131.185.252.0/24=*
[AuthProxy] *=GUEST
</div>

<p> In this example the username <span class="high italic">bloggs</span> on system 131.185.250.1 can access
as if the request had been authenticated via the SYSUAF using the username and
password of <span class="high italic">FRED</span>, although of course no SYSUAF username or password needs
to  be supplied.  The same applies to the second mapping, <span class="high italic">doe</span> on the remote
system to <span class="high italic">JOHN</span> on the VMS system.  The third mapping disallows a <span class="high italic">system</span>
account ever being mapped to the VMS equivalent.  The fourth, wildcard mapping,
maps all accounts on all systems in 131.185.250.0 8 bit subnet to the same VMS
username on the server system.  The fifth mapping provides a default username
for all other remote usernames (and used like this would terminate further
mapping).

<p> Note that multiple, space-separated proxy entries may be placed on a single
line.  In this case they are processed from left to right and first to last.

<div class="blockof code">[&quot;Just an Example&quot;=EXAMPLE=list]
[AuthProxy] bloggs@131.185.250.1=fred doe@131.185.250.1=doe system=- \
*@131.185.252.0/24=* *=GUEST
</div>

<p> Proxy mapping rules should be placed after a realm specification and before
any authorization path rules in that realm.  In this way the mappings will
apply to all rules in that realm.  It is possible to change the mappings
between rules.  Just insert the new mappings before the (first) rule they apply
to.  This cancels any previous mappings and starts a new set.  This is an
example.

<div class="blockof code">[&quot;A Bunch of Users&quot;=USERS=hta]
[AuthProxy] bloggs@131.185.250.1=fred doe@131.185.250.1=john
/fred/and/johns/path/* r+w
[AuthProxy] *=GUEST
/other/path/* read
</div>

<p> An alternative to in-line proxy mapping is to provide the mappings in one
or more independent files.  In-line and in-file mappings may be combined.

<div class="blockof code">[&quot;Another Bunch of Users&quot;=MORE_USERS=hta]
[AuthProxy] SYSTEM=-
[AuthProxyFile]  WASD_ROOT:[LOCAL]PROXY.CONF
/path/for/proxy* r+w
</div>

<p> To cancel all mappings for following rules use an [AuthProxy] (with no
following mapping detail).  Previous mappings are always cancelled with the
start of a new realm specification.  Where proxy mapping is not enabled at the
command line or a proxy file cannot be loaded at startup a proxy entry is
inserted preventing <span class="high bold">all access</span> to the path.

<p> <span class="high bold">REMEMBER &ndash; </span> proxy processing can be observed using the WATCH facility.

<a id="3.10.6" href="#"></a>
<a id="3.10.6.nilaccessvmsaccounts" href="#"></a>
<a id="nilaccessvmsaccounts" href="#"></a>
<h3 class="head"><span class="numb">3.10.6</span><span class="text">Nil-Access VMS Accounts</span></h3>

<p> It is possible, and may be quite effective for some environments, to have a
SYSUAF account or accounts strictly for HTTP authorization, with no actual
interactive or other access allowed to the VMS system itself.  This would relax
the caution on the use of SYSUAF authentication outside of SSL transactions. An
obvious use would be for the HTTP server administrator.  Additional accounts
could be provided for other authorization requirements, all without
compromising the system's security.

<p> In setting up such an environment it is vital to ensure the HTTPd server is
started using the /SYSUAF=ID qualifier (<a class="link" href="#3.2.authenticationpolicy">3.2 Authentication Policy</a>).  This
will require all SYSUAF-authenticated accounts to possess a specific VMS
resource identifier, accounts that do not possess the identifier cannot be used
for HTTP authentication.  In addition the identifier WASD_NIL_ACCESS will need
to be held (<a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a>), allowing the account to authenticate
despite being restricted by REMOTE and NETWORK time restrictions.

<p> To provide such an account select a group number that is currently unused
for any other purpose.  Create the desired account using whatever local utility
is used then activate VMS AUTHORIZE and effectively disable access to that
account from all sources and grant the appropriate access identifier (see
<a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> above).

<div class="blockof code">&dollar; SET DEFAULT SYS&dollar;SYSTEM
&dollar; MCR AUTHORIZE
UAF&gt; MODIFY &lt;account&gt; /NOINTERACTIVE /NONETWORK /NOBATCH /FLAG=DISMAIL
UAF&gt; GRANT /IDENTIFIER WASD_NIL_ACCESS &lt;account&gt;
UAF&gt; GRANT /IDENTIFIER WASD_VMS_RW &lt;account&gt;
</div>

<a id="3.10.7" href="#"></a>
<a id="3.10.7.sysuafandssl" href="#"></a>
<a id="sysuafandssl" href="#"></a>
<h3 class="head"><span class="numb">3.10.7</span><span class="text">SYSUAF and SSL</span></h3>

<p> When SSL is in use (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) the username/password
authentication information is inherently secured via the encrypted
communications of SSL. To enforce access to be via SSL add the following to the
WASD_CONFIG_MAP configuration file:

<div class="blockof code">/whatever/path/you/like/*  &quot;403 Access denied.&quot;  ![sc:https]
</div>

or alternatively the following to the WASD_CONFIG_AUTH configuration file:

<div class="blockof code">[REALM]
/whatever/path/you/like/*  https:
</div>

<p> Note that this mechanism is applied <span class="high bold">after</span> any path and method assessment
made by the server's authentication schema.

<p> The qualifier /SYSUAF=SSL provides a powerful mechanism for protecting
SYSUAF authentication, restricting SYSUAF authenticated transactions to the SSL
environment.  The combination /SYSUAF=(SSL,ID) is particularly effective.

<p> Also see <a class="link" href="#3.2.authenticationpolicy">3.2 Authentication Policy</a>.

<a id="3.10.8" href="#"></a>
<a id="3.10.8.sysuafsecurityprofile" href="#"></a>
<a id="sysuafsecurityprofile" href="#"></a>
<h3 class="head"><span class="numb">3.10.8</span><span class="text">SYSUAF Security Profile</span></h3>

<p> It is possible to control access to files and directories based on the VMS
security profile of a SYSUAF-authenticated remote user. This functionality is
implemented using VMS security system services involving SYSUAF and RIGHTSLIST
information. The feature must be explicitly allowed using the server /PROFILE
qualifier. By default it is disabled.

<div class="note"><a id="3.10.8.0.0.1" href="#"></a>
<a id="3.10.8.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

Use caution when deploying the /PROFILE qualifier.  It was really designed with 
a very specific environment in mind, that of an Intranet where the sole purpose
was to provide VMS users access to their normal VMS resources via a Web
interface.
<hr class="note_hr">
</div>

<p> When a SYSUAF-authenticated user (i.e. the VMS realm) is first authenticated
a VMS security-profile is created and stored in the authentication cache
(<a class="link" href="#3.9.authorizationcache">3.9 Authorization Cache</a>). A cached profile is an efficient method of
implementing this as it obviously removes the need of creating a user profile
each time a resource is assessed. If this profile exists in the cache it is
attached to each request authenticated for that user. As it is cached for a
period, any change to a user's security profile in the SYSUAF or RIGHTSLIST
won't be reflected in the cached profile until the cache entry expires or it is
explicitly flushed (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>).

<p> When a request has this security profile all accesses to files and
directories are assessed against it. When a file or directory access is
requested the security-profile is employed by a VMS security system service to
assess the access. If allowed, it is provided via the SYSTEM file protection
field. Hence it is possible to be eligible for access via the OWNER field but
not actually be able to access it because of SYSTEM field protections! If not
allowed, a &quot;no privilege&quot; error is generated.

<p> Once enabled using /PROFILE it can be applied to all SYSUAF authenticated
paths, but must be enabled on a per-path basis, using the WASD_CONFIG_AUTH
<span class="high italic">profile</span> keyword (<a class="link" href="#3.4.accessrestrictionkeywords">&lsquo;Access Restriction Keywords&rsquo; in 3.4 Authorization Configuration File</a>) 

<div class="blockof code"># WASD_CONFIG_AUTH
[VMS;VMS]
/wasd_root/local/* profile,https:,r+w
</div>

or the WASD_CONFIG_MAP SET <span class="high italic">profile</span> and <span class="high italic">noprofile</span> mapping rules
(see <a class="link blank" target="_blank" href="../config/#setrule">SET Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<div class="blockof code"># WASD_CONFIG_MAP
set /wasd_root/local/* profile
set * noprofile
</div>

<p> Of course, this functionality only provides access for the server, IT DOES
NOT PROPAGATE TO ANY SCRIPT ACCESS. If scripts must have a similar ability
they should implement their own scheme (which is not too difficult,
see <a class="link blank" target="_blank" href="/wasd_root/src/misc/chkacc.c">WASD_ROOT:[SRC.MISC]CHKACC.C</a>)
based on the CGI variable WWW_AUTH_REALM which would be &quot;VMS&quot; indicating
SYSUAF-authentication, and the authenticated name in WWW_REMOTE_USER.

<a id="3.10.8.0.1" href="#"></a>
<a id="3.10.8.performanceimpact" href="#"></a>
<a id="performanceimpact" href="#"></a>
<h5 class="head"><span class="text">Performance Impact</span></h5>

<p> If the /PROFILE qualifier has enabled SYSUAF-authenticated security
profiles,  whenever a file or directory is assessed for access an explicit VMS
security system service call is made.  This call builds a security profile of
the object being assessed, compares the cached user security profile and
returns an indication whether access is permitted or forbidden.  This is
addition to any such assessments made by the file system as it is accessed.

<p> This extra security assessment is not done for non-SYSUAF-authenticated
accesses within the same server.

<p> For file access this extra overhead is negligible but becomes more
significant with directory listings (&quot;Index of&quot;) where each file in the
directory is independently assessed for access.

<a id="3.10.9" href="#"></a>
<a id="3.10.9.sysuafprofileforfullsiteaccess" href="#"></a>
<a id="sysuafprofileforfullsiteaccess" href="#"></a>
<h3 class="head"><span class="numb">3.10.9</span><span class="text">SYSUAF Profile For Full Site Access</span></h3>

<p> Much of a site's package directory tree is inaccessible to the server
account.  One use of the SYSUAF profile functionality is to allow authenticated
accesss to all files in that tree.  This can accomplished by creating a
specific mapping for this purpose, subjecting that to SYSUAF authentication
with /PROFILE behaviour enabled (<a class="link" href="#3.10.8.sysuafsecurityprofile">3.10.8 SYSUAF Security Profile</a>), and limiting
the access to a SYSTEM group account.  As all files in the WASD package are
owned by SYSTEM the security profile used allows access to all files.

<p> The following example shows a path with a leading dollar (to differentiate
it from general access) being mapped into the package tree.  The
&quot;set * noprofile&quot; limits the application of this to the /&dollar;WASD_ROOT/
path (with the inline &quot;profile&quot;).

<div class="blockof code"># WASD_CONFIG_MAP
set * noprofile
  .
  .
  .
pass /wasd_root/* /wasd_root/*
pass /&dollar;WASD_ROOT/* /wasd_root/* profile
</div>

<p> This path is then subjected to SYSUAF authentication with access limited to
an SSL request from a specific IP address (the site administrator's) and the
SYSTEM account.

<div class="blockof code"># WASD_CONFIG_AUTH
[[&quot;/&dollar;WASD_ROOT/ Access&quot;=WASD_TREE_ACCESS=id]]
/&dollar;WASD_ROOT/* https,10.1.1.2,~system,read
</div>

<a id="3.11" href="#"></a>
<a id="3.11.tokenauthentication" href="#"></a>
<a id="tokenauthentication" href="#"></a>
<h2 class="head"><span class="numb">3.11</span><span class="text">Token Authentication</span></h2>

<p> This is a niche authorisation environment for addressing niche requirements.

<p> A <span class="high italic">token</span> is an HTTP cookie delivered representation of authentication
established in another context.  Originally devised to allow controlled access
to very large datasets without the overhead of SSL in the transmission but with
access credentials supplied in the privacy of an SSL connection.

<p> A common scenario is where the client starts off attempting to access a
resource in non-SSL space which is controlled by token authentication.  In the
first instance the authenticator detects there is no access token present and
redirects the client (browser) to the SSL equivalent of that space, where
credentials can be supplied encrypted.  In this example scenario the SSL area
is controlled by WASD SYSUAF authentication (can be SSL client certificate,
etc.) and the username/password is prompted for.  When correctly entered this
generates a token.  The token is stored (with corresponding detail) as a record
in a server-internal database and then returned to the browser as a set-cookie
value.

<p> With the token data stored the browser is transparently redirected back to
the non-SSL space where the actual access is to be undertaken, this time the
browser presenting the cookie containing the token.  The authenticator examines
the token, looking it up in the database.  If found, has originated from the
same IP address, represents the same authentication realm, and has not expired,
it then allows the non-SSL space access to proceed, and in this example
scenario the dataset transfer is initiated (in unencrypted clear-text).  If the
token is not found in the database or has expired, then the process is repeated
with a redirect back into SSL space.  If the realms differ a 403 forbidden
response is issued (see configuration below).

<p> The token itself is a significant sequence of pseudo-random characters, is
short-lived (configurable as anything from a few seconds to a few tens of
seconds, or more), and as a consequence is frequently regenerated.  The token
is just that, containing no actual credential data at all.  It might be
possible to snoop but as it contains nothing of value in itself, expires
relatively quickly, and has an originating IP address check, the fairly remote
risk of playback is just that.

<p> The authenticator does all the work, implicitly redirecting the user
from non-SSL space to SSL space for the original authentication, and then
back again with the token used for access in the non-SSL space.  With the
expiry of a token it undertakes that cycle again, redirecting back to the
SSL-space where the browser-cached credentials will be supplied automatically
allowing the fresh token to be issued, and then redirected back into non-SSL
space for access.  To emphasise - all this is transparent to the user.

<p> As a consequence of this model the resource being controlled can ONLY be
accessed from non-SSL space using the controlled path.  To access the same
resource from SSL space a distinct path to the resource must be provided.

<a id="3.11.0.0.1" href="#"></a>
<a id="3.11.configuration" href="#"></a>
<a id="configuration" href="#"></a>
<h5 class="head"><span class="text">Configuration</span></h5>

<p> As token authorisation relies on the client agent having HTTP cookies
enabled (globally or specifically for the site) it is useful to have this
tested for and/or advised about, on some related but other area of the site. 
There are simple techniques using JavaScript for detecting the availability of
cookie processing.  Search the Web for a suitable solution.
 
<p> The automatic authorisation and redirection occurs using a combination of
two distinguishable authorisation rules, one for supplying the credentials, the
other for using the token for authorisation.  In this example (and commonly)
the resources are at &quot;/location/&quot; and the configuration accepts user-supplied
credentials in SSL space and uses the token in non-SSL space.  The asterisk
just indicates that in the absence of any other parameter this authorisation
rule has a complementary token rule where access will actually occur.

<div class="blockof code"># WASD_CONFIG_AUTH
if (ssl:) 
   [&quot;VMS credentials&quot;=WASD_VMS_RW=id+&quot;TOKEN=*&quot;]
   /location/* r+w
else
   [WASD_VMS_RW=TOKEN]
   /location/* r+w
endif
</div>

<p> And in this example, the same arrangement but with non-standard ports
(specified using an integer with a leading colon).

<div class="blockof code"># WASD_CONFIG_AUTH
if (ssl:) 
   [&quot;VMS credentials&quot;=WASD_VMS_RW=id+&quot;TOKEN=:7080&quot;]
   /location/* r+w
else
   [WASD_VMS_RW=TOKEN+&quot;TOKEN=:7443&quot;]
   /location/* r+w
endif
</div>

<p> To prevent potential thrashing, where multiple, distinct realms within a
<span class="high italic">single</span> request are authorised using tokens, corresponding multiple token
(cookie) names must be used.  It is expected that this would be an uncommon but
not impossible scenario.  The &quot;thrashing&quot; would be a result of authorisation
associated with a single, particular token name.  Where a realm differs from a
previous token generated another is required.  The token authorisation scheme
forces the use of distinct token names by 403-forbidding change of realm using
the one token.   Use explicitly specified, independent token (cookie) names, or
an integer preceded by an ampersand (which appends the integer to the base
token name), ensuring the complementary rules are using the same name/integer.

<div class="blockof code"># WASD_CONFIG_AUTH
if (ssl:) 
   [&quot;VMS credentials&quot;=WASD_VMS_RW=id+&quot;TOKEN=&amp;42&quot;]
   /location/* r+w
else
   [WASD_VMS_RW=TOKEN+&quot;TOKEN=&amp;42&quot;]
   /location/* r+w
endif
</div>

<p> For the final example, the token is contained in the non-default cookie
named &quot;Wasd_example&quot; and the authentication performed using an X509 client
certificate (which can only be supplied via SSL).

<div class="blockof code"># WASD_CONFIG_AUTH
if (ssl:) 
   [X509+&quot;TOKEN=WaSd_example&quot;]
   /location/* r+w
else
   [X509=TOKEN+&quot;TOKEN=WaSd_example&quot;]
   /location/* r+w
endif
</div>

<p> Some additional detail is available from the AUTHTOKEN.C code module.

<a id="3.12" href="#"></a>
<a id="3.12.skeletonkeyauthentication" href="#"></a>
<a id="skeletonkeyauthentication" href="#"></a>
<h2 class="head"><span class="numb">3.12</span><span class="text">Skeleton-Key Authentication</span></h2>

<p> Provides a username and password that is authenticated from data placed into
the global common (i.e. in memory) by the site administrator.  The username and
password expire (become non-effective) after a period, one hour by default or
an interval specified when the username and password are registered.

<p> It is a method for allowing ad hoc authenticated access to the server,
primarily intended for non-configured access to the online Server
Administration facilities (<a class="link" href="#9.1.accessbeforeconfiguration">9.1 Access Before Configuration</a>) but is
available for other purposes where a permanent username and password in an
authentication database is not necessary. A skeleton-key authenticated request
<span class="high bold">is subject to all other authorization processing</span> (i.e. access restrictions,
etc.), and can be controlled using the likes of '~_*', etc.

<p> The site administrator uses the command line directive

<div class="blockof code">&dollar; HTTPD /DO=AUTH=SKELKEY=<span class="high italic under">username:password[:period]</span>
</div>

to set the username/password, and optionally the period in minutes.  This
authentication credential can be cancelled at any time using

<div class="blockof code">&dollar; HTTPD /DO=AUTH=SKELKEY=0
</div>

<p> The username must begin with an underscore  (to reduce the chances of
clashing with a legitimate username) and have a minimum of 6 other characters. 
The password is delimited by a colon and must be at least 8 characters.  The
optional period in minutes can be from 1 to 10080 (one week).  If not supplied
it defaults to 60 (one hour).  After the period expires the skeleton key is no
longer accepted until reset.

<div class="note center"><a id="3.12.0.0.0.1" href="#"></a>
<a id="3.12.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

Choose username and password strings that are less-than-obvious and a period
that's sufficient to the task!
<br> After all, it's <span class="high bold">your site</span> that you might compromise!
<hr class="note_hr">
</div>

<p> The authentication process (with skeleton-key) is performed using these
basic steps.

<ol class="list">

<li class="item"> Is a skeleton-key set?  If not continue on with the normal authentication
process.

<li class="item"> If set then check the request username leading character for an
underscore.  If not then continue on with normal authentication.

<li class="item"> If it begins with an underscore then match the request and skeleton-key
usernames.  If they do not match then continue with normal authentication.

<li class="item"> If the usernames match then compare the request and skeleton-key
passwords.  If matched then it's authenticated.  If not it becomes an
authentication failure.

</ol>

<p> Note that the authenticator resumes looking for a username from a
configured authentication source unless the request and skeleton-key usernames
match.  After that the passwords either match allowing access or do not match
resulting in an authentication failure.

<a id="3.12.0.0.1" href="#"></a>
<a id="3.12.examples" href="#"></a>
<a id="examples" href="#"></a>
<h5 class="head"><span class="text">Examples</span></h5>

<div class="blockof code">&dollar; HTTPD /DO=AUTH=SKELKEY=_FRED2ACC:USE82PA55

&dollar; HTTPD /DO=AUTH=SKELKEY=_ANDY2WERP:EGGO4TEE:10
</div>

<a id="3.13" href="#"></a>
<a id="3.13.controllingserverwriteaccess" href="#"></a>
<a id="controllingserverwriteaccess" href="#"></a>
<h2 class="head"><span class="numb">3.13</span><span class="text">Controlling Server Write Access</span></h2>

<p> The server account should have no direct write access to into any directory
structure. Files in these areas should be owned by SYSTEM ([1,4]). Write access
for the server into VMS directories (using the POST or PUT HTTP methods) should
be controlled using VMS ACLs. <span class="high bold">This is in addition to the path authorization
of the server itself of course!</span> The recommendation to have no ownership of
files and provide an ACE on required directories prevents inadvertant
mapping/authorization of a path resulting in the ability to write somewhere not
intended.

<p> Two different ACEs implement two grades of access.

<ol class="list">

<li class="item"> If the ACE grants <span class="high bold">CONTROL</span> access to the server account
then only VMS-authenticated usernames with security profiles can potentially
write to the directory. Only potentially, because a further check is made to
assess whether that VMS account in particular has write access.

<p> This example shows a suitable ACE that applies only to the original
directory:

<div class="blockof code">&dollar; SET SECURITY directory.DIR -
  /ACL=(IDENT=HTTP&dollar;SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL)
</div>
This example shows setting an ACE that will propagate to created files and
importantly, subdirectories:
<div class="blockof code">&dollar; SET SECURITY directory.DIR -
  /ACL=((IDENT=HTTP&dollar;SERVER,OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL), -
        (IDENT=HTTP&dollar;SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL))
</div>

<li class="item"> If the ACE grants <span class="high bold">WRITE</span> access then the directory can be
written into by any authenticated username for the authorized path.

<p> This example shows a suitable ACE that applies only to the original
directory:

<div class="blockof code">&dollar; SET SECURITY directory.DIR -
  /ACL=(IDENT=HTTP&dollar;SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE)
</div>
 This example shows setting an ACE that will propagate to created files
and importantly, subdirectories:

<div class="blockof code">&dollar; SET SECURITY directory.DIR -
  /ACL=((IDENT=HTTP&dollar;SERVER,OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE+DELETE), -
        (IDENT=HTTP&dollar;SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE))
</div>

</ol>

<p> To assist with the setting of the required ACEs an example,
general-purpose DCL procedure is provided,
<a class="link blank" target="_blank" href="/wasd_root/example/authace.com">WASD_ROOT:[EXAMPLE]AUTHACE.COM</a>).

<a id="3.14" href="#"></a>
<a id="3.14.securingallrequests" href="#"></a>
<a id="securingallrequests" href="#"></a>
<h2 class="head"><span class="numb">3.14</span><span class="text">Securing All Requests</span></h2>

<p> Some sites may be sensitive enough about Web resources that the possibility
of providing inadvertant access to some area or another is of major concern. 
WASD provides a facility that will automatically deny access to any path that
does not appear in the authorization configuration file.  This does mean that
all paths requiring access must have authorization rules associated with them,
but if something is missed some resource does not unexpectedly become visible.

<p> At server startup the /AUTHORIZE=ALL qualifier enables this facility.

<p> For paths that require authentication and authorization the standard realms
and rules apply.  To indicate that a particular path should be allowed access,
but that no authorization applies the &quot;NONE&quot; realm may be used.  The following
example provides some indication of how it should be used.

<div class="blockof code"># allow the librarian to update this area, world to read it
[VMS;LIBRARIAN=id]
/web/library/* r+w ; read
# indicate there is no authorization to be applied
[NONE]
# allow access to general web areas
/web/* read
# allow access to the WASD_ROOT tree
/wasd_root/* read
</div>

<p> There is also a per-path equivalent of the /AUTHORIZE=ALL functionality,
described in <a class="link blank" target="_blank" href="../config/#setrule">SET Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
This allows a path tree to be require authorization be enabled against it.

<div class="blockof code"># avoid an absence of authorization allowing unintentional access
set /web/sensitive/* auth=all
</div>

<a id="3.15" href="#"></a>
<a id="3.15.userpasswordmodification" href="#"></a>
<a id="userpasswordmodification" href="#"></a>
<h2 class="head"><span class="numb">3.15</span><span class="text">User Password Modification</span></h2>

<p> The server provides for users to be able to change their own HTA passwords
(and SYSUAF if required). This functionality, though desirable from the
administrator's viewpoint, is not  mandatory if the administrator is content to
field any password changes, forgotten passwords, etc.  Keep in mind that
passwords, though not visible during entry, are passed to the server using
clear-text form fields (which is why SSL is recommended).

<p> Password modification is enabled by including a mapping rule to the internal
change script.  For example:

<div class="blockof code">pass /httpd/-/change/* /httpd/-/change/*
</div>

<p> Any database to be enabled for password modification must have a writable
authorization path associated with it.  For example:

<div class="blockof code">[GROUP=id;GROUP=id]
/httpd/-/change/group/* r+w

[ANOTHER_GROUP=id;ANOTHER_GROUP=id]
/httpd/-/change/another_group/* r+w
</div>

<div class="note"><a id="3.15.0.0.0.1" href="#"></a>
<a id="3.15.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

What looks like redundancy in specifying an identical realm and group
authorization is what allows multiple, independant identifiers to be
individually controlled for password change (i.e. one group of identifier
holders allowed to change the password, another not). 
<hr class="note_hr">
</div>


<p> Use some form of cautionary wrapper if providing this functionality over
something other than an Intranet or SSL connection:

<div class="blockof code">&lt;H2&gt;Change Your Authentication&lt;/H2&gt;

&lt;blockquote&gt;
Change the password used to identify yourself to the REALM Web environment for
some actions.  Note that this &lt;u&gt;not&lt;/u&gt; an operating system password, nor has
it anything to do with it.  Due to the inherent weaknesses of using
non-encrypted password transmissions on networks &lt;font color=&quot;#ff0000&quot;&gt;&lt;u&gt;DO
NOT&lt;/U&gt; use a password you have in use anywhere else, especially an operating
system password!&lt;/font&gt; You need your current password to make the change.  If
you have forgotten what it is contact &lt;a href=&quot;/web/webadmin.html&quot;&gt;WebAdmin&lt;/a&gt;,
preferably via e-mail, for the change to be made on your behalf.
&lt;/blockquote&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href=&quot;/httpd/-/change/REALM/&quot;&gt;REALM&lt;/a&gt; realm.
&lt;/ul&gt;
</div>

<a id="3.15.0.0.1" href="#"></a>
<a id="3.15.passwordexpiry" href="#"></a>
<a id="passwordexpiry" href="#"></a>
<h5 class="head"><span class="text">Password Expiry</span></h5>

<p> When using SYSUAF authentication it is possible for a password to
pre-expired, or when a password lifetime is set for a password to expire and
require respecification.  By default an expired password cannot be used for
access.  This may be overridden using the following global configuration
directive.

<div class="blockof code">[AuthSYSUAFacceptExpPwd]  enabled
</div>

<p> Expired passwords may be specially processed by specifying a URL with
WASD_CONFIG_GLOBAL [AuthSysUafPwdExpURL] configuration directive 
<a class="link blank" target="_blank" href="../config/#alphabeticlistings">Alphabetic Listings</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<p> The WASD_CONFIG_MAP <span class="high italic">set auth=sysuaf=pwdexpurl=&lt;string&gt;</span> rule allows the
same URL to be specified on a per-path basis. When this is set a request
requiring SYSUAF authentication that specifies a username with an expired
password is redirected to the specified URL.  This should directly or via an
explanatory (wrapper) page redirect to the password change path described
above.  The password change dialog will have a small note indicating the
password has expired and allows it to be changed.

<p> The following WASD_CONFIG_GLOBAL directive

<div class="blockof code"># WASD_CONFIG_GLOBAL
[AuthSysUafPwdExpURL]  https:///httpd/-/change/

# WASD_CONFIG_AUTH
[WASD_VMS_ID=id;WASD_VMS_RW=id]
/httpd/-/change/* r+w
</div>
 would allow expired passwords to be changed.

<p> It is also possible to redirect an expired password to a site-specific page
for input and change.  This allows some customization of the language and
content of the expired password change dialog.  An example document is provided
at <a class="link blank" target="_blank" href="/wasd_root/example/expired.shtml?httpd=content&amp;type=text/plain">WASD_ROOT:[EXAMPLE]EXPIRED.SHTML</a> (<a class="link blank" target="_blank" href="/wasd_root/example/expired.shtml">what
it looks like</a>) ready for relocation and customisation.  Due to the
complexities of passing realm information and then submitting that information
to the server-internal change facility some dynamic processing is required via
an SSI document.

<p> This example assumes the site-specific document has been located at
WEB:[000000]EXPIRED.SHTML and is accessed using SSL.

<div class="blockof code"># WASD_CONFIG_GLOBAL
[AuthSysUafPwdExpURL]  https:///web/expired.shtml?httpd=ignore&amp;realm=vms

# WASD_CONFIG_AUTH
[WASD_VMS_ID=id;WASD_VMS_RW=id]
/httpd/-/change/vms/* r+w
/web/expired.shtml r+w
</div>

<a id="3.16" href="#"></a>
<a id="3.16.cancellingauthorization" href="#"></a>
<a id="cancellingauthorization" href="#"></a>
<h2 class="head"><span class="numb">3.16</span><span class="text">Cancelling Authorization</span></h2>

<p> The reason authorization information is not required to be reentered on
subsequent accesses to controlled paths is cached information the browser
maintains.  It is sometimes desirable to be able to access the same path using
different authentication credentials, and correspondingly it would be useful if
a browser had a <span class="high italic">purge authorization cache</span> button, but this is commonly not
the case.  To provide this functionality the server must be used to &quot;trick&quot; the
browser into cancelling the authorization information for a particular path.

<p> This is achieved by adding a specific query string to the path requiring
cancellation.  The server detects this and returns an authorization failure
status (401) regardless of the contents of request &quot;Authorization:&quot; field. 
This results in the browser flushing that path from the authorization cache,
effectively requiring new authorization information the next time that path is
accessed.

<p> There are two variations on this mechanism.

<ol class="list">

<li class="item"> The basic procedure is as follows:

<ul class="list">

<li class="item"> Add the query string &quot;?httpd=logout&quot; to the path in question (if
there is an existing query then replace it), as in the following example.
<div class="blockof code">/the/current/path?httpd=logout
</div>

<li class="item"> The browser will respond with an authorization failure, and prompting to
retry or reenter the username and password.

<li class="item"> It is necessary to clear at least the password (i.e. remove any password
from the appropriate field) and reenter.

<li class="item"> The browser again responds with an authorization failure.

<li class="item"> At this stage the authorization dialog can be cancelled, resulting in a
server authorization failure message.

<li class="item"> The original path can now be returned to and reaccessed.  The browser
should again prompt for authorization information at which point different
credentials may be supplied.

</ul>

<li class="item"> A little more functional, if using a revalidation period via
[AuthRevalidateUserMinutes]  or 'SET auth=revalidate=' (perhaps set to
something like 23:59:00, or one day), when the logout query string is supplied
the server resets the entry forcing any future access to require revalidation. 
A successful logout message is then generated, circumventing the need for the
username/password dialog described above. 

<ul class="list">

<li class="item"> Add or replace the query string &quot;?httpd=logout&quot; to the path in
question as in the following example. 
<div class="blockof code">/the/current/path?httpd=logout
</div>

<li class="item"> The browser will respond with a message stating that authentication has
been cancelled.  That's it!

</ul>

<p> Also when using logout with a revalidation period a redirection URL may be
appended to the logout query string.  It then redirects to the supplied URL. 
It is important that the redirection is returned to the browser and not handled
internally by WASD.  Normal WASD redirection functionality applies.

<div class="blockof code">?httpd=logout&amp;goto=///
?httpd=logout&amp;goto=///help/logout.html
?httpd=logout&amp;goto=http://the.host.name/
</div>

<p> These examples redirect to

<ul class="list simple list0">
<li class="item"> the local home page
<li class="item"> a specific local page
<li class="item"> a specific remote server
</ul>

respectively.

<div class="note">
<a id="3.16.0.0.1" href="#"></a>
<a id="3.16.authenticationcache" href="#"></a>
<a id="authenticationcache" href="#"></a>
<h5 class="head center"><span class="text">Authentication Cache</span></h5>
<hr class="note_hr">
User revalidation relies on an entry being maintained in the authentication
cache.  Each time the entry is flushed, for whatever reason (cache congestion,
command-line purge, server restart, etc.), the user will be prompted for
credentials.  It may be necessary to increase the size of the cache by
adjusting [AuthCacheEntriesMax].
<hr class="note_hr">
</div>

</ol>
<!-- source:0400_TLS.WASDOC -->
<hr class="page">
<a id="4." href="#"></a>
<a id="4.transportlayersecurity" href="#"></a>
<a id="transportlayersecurity" href="#"></a>
<h1 class="head"><span class="numb">4.</span><span class="text">Transport Layer Security</span></h1>

<div class="TOC2cols2" style="width:80%;max-width:80%;">
<table class="TOC2table">
<tr><td><a href="#4.1.letsencrypt"><span class="numb">4.1</span><span class="text">Let's Encrypt</span></a>
<tr><td><a href="#4.2.tlssslfunctionalitysources"><span class="numb">4.2</span><span class="text">TLS/SSL Functionality Sources</span></a>
<tr><td><a href="#4.3.wasdsslquickstart"><span class="numb">4.3</span><span class="text">WASD SSL Quick-Start</span></a>
<tr><td><a href="#4.4.opensslexeapplication"><span class="numb">4.4</span><span class="text">OPENSSL.EXE Application</span></a>
<tr><td><a href="#4.5.sslconfiguration"><span class="numb">4.5</span><span class="text">SSL Configuration</span></a>
<tr><td><a href="#4.5.1.wasdconfigservice"><span class="numb">4.5.1</span><span class="text">WASD_CONFIG_SERVICE</span></a>
<tr><td><a href="#4.5.2.tlssslversions"><span class="numb">4.5.2</span><span class="text">TLS/SSL Versions</span></a>
<tr><td><a href="#4.5.3.sslciphers"><span class="numb">4.5.3</span><span class="text">SSL Ciphers</span></a>
<tr><td><a href="#4.5.4.openssloptions"><span class="numb">4.5.4</span><span class="text">(Open)SSL Options</span></a>
<tr><td><a href="#4.5.5.forwardsecrecy"><span class="numb">4.5.5</span><span class="text">Forward Secrecy</span></a>
<tr><td><a href="#4.5.6.sessionresumption"><span class="numb">4.5.6</span><span class="text">Session Resumption</span></a>
<tr><td><a href="#4.5.7.stricttransportsecurity"><span class="numb">4.5.7</span><span class="text">Strict Transport Security</span></a>
<tr><td><a href="#4.5.8.sslservercertificate"><span class="numb">4.5.8</span><span class="text">SSL Server Certificate</span></a>
<tr><td><a href="#4.5.9.sslprivatekey"><span class="numb">4.5.9</span><span class="text">SSL Private Key</span></a>
<tr><td><a href="#4.5.10.sslvirtualservices"><span class="numb">4.5.10</span><span class="text">SSL Virtual Services</span></a>
<tr><td><a href="#4.5.11.sslaccesscontrol"><span class="numb">4.5.11</span><span class="text">SSL Access Control</span></a>
<tr><td><a href="#4.5.12.authorizationusingx509certification"><span class="numb">4.5.12</span><span class="text">Authorization Using X.509 Certification</span></a>
<tr><td><a href="#4.5.13.x509certificaterenegotiation"><span class="numb">4.5.13</span><span class="text">X.509 Certificate Renegotiation</span></a>
<tr><td><a href="#4.5.14.features"><span class="numb">4.5.14</span><span class="text">Features</span></a>
<tr><td><a href="#4.5.15.subjectalternativenameandotherextensions"><span class="numb">4.5.15</span><span class="text">Subject Alternative Name and Other Extensions</span></a>
<tr><td><a href="#4.5.16.x509configuration"><span class="numb">4.5.16</span><span class="text">X509 Configuration</span></a>
<tr><td><a href="#4.5.17.certificateauthorityverificationfile"><span class="numb">4.5.17</span><span class="text">Certificate Authority Verification File</span></a>
<tr><td><a href="#4.5.18.x509authorizationcgivariables"><span class="numb">4.5.18</span><span class="text">X.509 Authorization CGI Variables</span></a>
<tr><td><a href="#4.6.certificatemanagement"><span class="numb">4.6</span><span class="text">Certificate Management</span></a>
<tr><td><a href="#4.6.1.servercertificate"><span class="numb">4.6.1</span><span class="text">Server Certificate</span></a>
<tr><td><a href="#4.6.2.certificatesigningrequest"><span class="numb">4.6.2</span><span class="text">Certificate Signing Request</span></a>
<tr><td><a href="#4.7.sslcgivariables"><span class="numb">4.7</span><span class="text">SSL CGI Variables</span></a>
<tr><td><a href="#4.8.sslserviceevaluation"><span class="numb">4.8</span><span class="text">SSL Service Evaluation</span></a>
<tr><td><a href="#4.9.sslreferences"><span class="numb">4.9</span><span class="text">SSL References</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#3.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#5.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> <span class="high bold">Transport Layer Security</span> (TLS), and its predecessor <span class="high bold">Secure Sockets
Layer</span> (SSL), are cryptographic protocols designed to provide communication
privacy over a network, in the case of HTTP between the browser (client) and
the server.  It also authenticates server and optionally client identity. 
TLS/SSL operates by establishing an encrypted communication path between the
two applications, &quot;wrapping&quot; the entire application protocol inside the secure
link, providing complete privacy for the entire transaction.  In this way
security-related data such as user identification and password, as well as
sensitive transaction information can be protected from unauthorized access
while in transit. This section is not a tutorial on TLS/SSL.  It contains only
information relating to WASD's use of it.  See <a class="link" href="#4.9.sslreferences">4.9 SSL References</a> for
further information on TLS/SSL technology.

<div class="note">
<a id="4.0.0.0.1" href="#"></a>
<a id="4.tlsandssl" href="#"></a>
<a id="tlsandssl" href="#"></a>
<h5 class="head center"><span class="text">TLS and SSL</span></h5>
<hr class="note_hr">
The terms are used interchangably in this document to represent cryptographic
communication technology.  They are similar but with important differences. 
TLS is the more modern and considered the more secure.  The term SSL is still
in common usage though and retained here even if WASD (and OpenSSL) now only
implements TLS.  When OpenSSL(.org) considers changing its name WASD will toss
out the term SSL <span class="high _smiley">&thinsp;</span>
<hr class="note_hr">
</div>

<p> <table class="tabl">
<tr class="tabr">
<td class="tabd"><img class="image" style="width:208px;" src="./OpenSSL_logo.png">
<td class="tabd valmid">WASD implements SSL using a freely available software toolkit supported by
the <span class="high bold">OpenSSL Project</span>.
</table>

<p> OpenSSL licensing allows unrestricted commercial and non-commercial use.
This toolkit is in use regardless of whether the WASD OpenSSL package, HP SSL
for OpenVMS product, or other stand-alone OpenSSL environment is installed.  It
is always preferable to move to the latest support release of OpenSSL  as known
bugs in previous versions are progressively addressed (ignoring the issue of
new bugs being introduced ;-)

<div class="note">
<a id="4.0.0.0.2" href="#"></a>
<a id="4.tlsfunctionalityisnotsuppliedwiththebasicwasdpackage" href="#"></a>
<a id="tlsfunctionalityisnotsuppliedwiththebasicwasdpackage" href="#"></a>
<h5 class="head center"><span class="text">TLS functionality is not supplied with the basic WASD package</span></h5>
<hr class="note_hr">
In part this is due to the relative bulk of this component, in further part
that the updates to each are not necessarily coincident, and also considers
potential patent issues and export restrictions on some cryptography technology
in some jurisdictions.
<hr class="note_hr">
</div>

<a id="4.0.0.0.3" href="#"></a>
<a id="4.cryptographysoftware" href="#"></a>
<a id="cryptographysoftware" href="#"></a>
<h5 class="head"><span class="text">Cryptography Software</span></h5>

<p> Be aware that export/import and/or use of cryptography software, or even
just providing cryptography hooks, is illegal in some parts of the world.  When
you re-distribute this package or even email patches/suggestions to the author
or other people, please <span class="high bold">PAY CLOSE ATTENTION TO ANY APPLICABLE
EXPORT/IMPORT LAWS</span>.  The author of this package is not liable for any
violations you make here.

<a id="4.0.0.0.4" href="#"></a>
<a id="4.somethoughtsfromrsengelschall" href="#"></a>
<a id="somethoughtsfromrsengelschall" href="#"></a>
<h5 class="head"><span class="text">Some Thoughts From R. S. Engelschall</span></h5>

<p> Ralf S. Engelschall (rse@engelschall.com) is the author of the popular
Apache <span class="high italic">mod_ssl</span> package.  This section is taken from the
<span class="high italic">mod_ssl</span> read-me and is well-worth some consideration for this and
software security issues in general.

<div class="blockof quote">You should be very sensible when using cryptography software, because just
running an SSL server <span class="high under">DOES NOT</span> mean your system is then secure! 
This is for a number of reasons. The following questions illustrate some of the
problems.

<ul class="list list0">
<li class="item"> SSL itself may not be secure. People think it is, do you?
<li class="item"> Does this code implement SSL correctly?
<li class="item"> Have the authors of the various components put in back doors?
<li class="item"> Does the code take appropriate measures to keep private keys private? 
To what extent is your cooperation in this process required? 
<li class="item"> Is your system physically secure?
<li class="item"> Is your system appropriately secured from intrusion over the network?
<li class="item"> Whom do you trust?  Do you understand the trust relationship involved in
SSL certificates?  Do your system administrators? 
<li class="item"> Are your keys, and keys you trust, generated careful[ly] enough to avoid
reverse engineering of the private keys? 
<li class="item"> How do you obtain certificates, keys, and the like, securely?
<li class="item"> Can you trust your users to safeguard their private keys?
<li class="item"> Can you trust your browser to safeguard its generated private key?
</ul>

If you can't answer these questions to your personal satisfaction, then you
usually have a problem.  Even if you can, you may still <span class="high under">NOT</span> be
secure.  Don't blame the authors if it all goes horribly wrong.  Use it at your
own risk!
</div>

<a id="4.1" href="#"></a>
<a id="4.1.letsencrypt" href="#"></a>
<a id="letsencrypt" href="#"></a>
<h2 class="head"><span class="numb">4.1</span><span class="text">Let's Encrypt</span></h2>

<p> Have (or want) a TLS/SSL secured site?

<p> Using self-signed or commercial server certificate(s)?

<p> <span class="high bold">Let's Encrypt</span> makes it possible to obtain and maintain browser-trusted
certificates, simply, automatically and <span class="high bold">at no cost</span>.

<p> See <span class="high under">WASD Certificate Management Environment</span> (wuCME) on the WASD
download page at <a class="link blank" target="_blank" href="https://wasd.vsm.com.au/wasd/#wucme">https://wasd.vsm.com.au/wasd/</a>

<a id="4.2" href="#"></a>
<a id="4.2.tlssslfunctionalitysources" href="#"></a>
<a id="tlssslfunctionalitysources" href="#"></a>
<h2 class="head"><span class="numb">4.2</span><span class="text">TLS/SSL Functionality Sources</span></h2>

<p> Secure Sockets Layer functionality is easily integrated into WASD and is
available from one (or more) of the following sources.  See
 for the basics of installing WASD SSL and
 for configuration of various aspects.

<div class="note center">
<a id="4.2.0.0.1" href="#"></a>
<a id="4.2.allopenssl102andearlier" href="#"></a>
<a id="allopenssl102andearlier" href="#"></a>
<h5 class="head center"><span class="text">All OpenSSL 1.0.2 and earlier</span></h5>
<hr class="note_hr">
are considered obsolete, deprecated and unsupported
<hr class="note_hr">
</div>

<ol class="list">

<li class="item"> The <span class="high bold">VSI SSL111 for OpenVMS</span> product

<p> This is provided from the directory
SYS&dollar;COMMON:<a class="link blank" target="_blank" href="/sys$common/ssl111/*.*">[SSL111]</a>
containing shared libraries, executables and templates for certificate
management, etc.  If this product is installed and started the WASD
installation and update procedures should detect it and provide the option of
compiling and/or linking WASD against its shareable libraries.

<li class="item"> As a separate, easily integrated <span class="high bold">WASD OpenSSL package</span>, with OpenSSL
object  libraries, OpenSSL utility object modules for building executables and
WASD support files.  Currently it is based on the OpenSSL v1.1.1 code stream. 
The package requires no compilation, only linking, and is available for Alpha
and Itanium for VMS version 7.0 up to current.

<p> WASD OpenSSL installation creates an OpenSSL directory in the source
WASD_ROOT:[SRC<a class="link blank" target="_blank" href="/wasd_root/src/*.*">.OPENSSL-n_n_n]</a> &nbsp;(look for
it here) containing the OpenSSL copyright notice, object libraries, object
modules for building executables, example certificates, and some other support
files and documentation.

<li class="item"> Using a locally compiled and installed <span class="high bold">OpenSSL toolkit</span>.

<p> The OpenSSL v1.1.1 code stream is supported.  WASD requires a 32 bit OpenSSL
build (the default).

<p> To change linkage use step 2 described in 
selecting the alternate toolkit build.

<p> OpenSSL v1.1.1 uses the naming schema OSSL&dollar;&hellip; for logical and file
names.  It also provides object libraries for a static linked executable, as
well as shareable images, for the two main APIs (SSL and crypto).  In common
with the VSI SSL111 product, the shareable images must be installed to be used
with the WASD server privileged executable.  The WASD STARTUP.COM procedure
will undertake this when directed (see immediately below).

<p> There is one other consideration.  For a privileged executable to activate
a shareable image, not only must the image be installed but any associated
logical names must be defined in executive (or kernel) mode.  When executing
the OpenSSL v1.1.1 startup procedure P1 must be
&quot;<span class="high italic monosp">SYSTEM/EXECUTIVE</span>&quot; as in the following example:

<div class="blockof code">&dollar; @SYS&dollar;COMMON:[OPENSSL.SYS&dollar;STARTUP]OPENSSL_STARTUP0101.COM &quot;/SYSTEM/EXECUTIVE&quot;
&dollar; @WASD_ROOT:[STARTUP]STARTUP WASD_OSSL=1
</div>

</ol>

<a id="4.3" href="#"></a>
<a id="4.3.wasdsslquickstart" href="#"></a>
<a id="wasdsslquickstart" href="#"></a>
<h2 class="head"><span class="numb">4.3</span><span class="text">WASD SSL Quick-Start</span></h2>

<p> SSL functionality can be installed with a new package, or with an update,
or it can be added to an existing non-SSL enabled site.  The following steps
give a quick outline for support of SSL.

<ol class="list">

<li class="item"> If using the VSI SSL111 product or an already installed OpenSSL toolkit
go directly to step 2.  To install the WASD OpenSSL package the ZIP archive
needs to be restored.

<ul class="list">

<li class="item"> The ZIP archive will contain brief installation instructions.  Use the
following command to read this and any other information provided.

<div class="blockof code">&dollar; UNZIP -z device:[dir]archive.ZIP
</div>

<li class="item"> <span class="high under">Either</span> UNZIP the WASD OpenSSL package into a new installation

<div class="blockof code">&dollar; SET DEFAULT [.WASD_ROOT]
&dollar; UNZIP device:[dir]archive.ZIP
</div>

<li class="item"> <span class="high under">OR</span> into an existing installation

<div class="blockof code">&dollar; SET DEFAULT WASD_ROOT:[000000]
&dollar; UNZIP device:[dir]archive.ZIP
</div>

</ul>

<li class="item"> It is then necessary to build the (server and Open)SSL executables.

<ul class="list">

<li class="item"> If during an original INSTALL or subsequent UPDATE of the entire package
the procedures detect a suitable SSL toolkit and prompt the user whether an
SSL enabled server should be built.

<li class="item"> To to add SSL functionality to an existing but non-SSL site just the SSL
components can be built using the following procedure.

<div class="blockof code">&dollar; @WASD_ROOT:[INSTALL]UPDATE SSL
</div>

</ul>

<li class="item"> Once linked the UPDATE.COM procedure will prompt for permission to execute
the demonstration/check procedure.

<p> It is also possible to check the SSL package at any other time using the
server demonstration procedure. It is necessary to specify that it is to use
the SSL executable.  Follow the displayed instructions.

<div class="blockof code">&dollar; @WASD_ROOT:[INSTALL]DEMO.COM SSL
</div>

<li class="item"> Modification of server startup procedures should not be necessary.  If an
SSL image is detected during startup it will be used in preference to the
standard image.

<li class="item"> Modify the WASD_CONFIG_SERVICE configuration file to specify an SSL
service.  For example the following adds a generic SSL service on port 443.

<div class="blockof code">[[https://*:443]]
</div>

<li class="item"> Shutdown the server completely, then restart.

<div class="blockof code">&dollar; HTTPD /DO=EXIT
&dollar; @WASD_ROOT:[STARTUP]STARTUP
</div>

<li class="item"> To check the functionality (on default ports) access the server via

<ul class="list simple">

<li class="item"> Standard HTTP

<div class="blockof code">http://the.example.com/
</div>

<li class="item"> SSL HTTP

<div class="blockof code">https://the.example.com/
</div>

</ul>

<li class="item"> Once the server has been proved functional with the example certificate
it is recommended that a server-specific certificate be created using the tools
described in <a class="link" href="#4.6.1.servercertificate">4.6.1 Server Certificate</a> and <a class="link" href="#4.6.certificatemanagement">4.6 Certificate Management</a>. 

</ol>

<a id="4.4" href="#"></a>
<a id="4.4.opensslexeapplication" href="#"></a>
<a id="opensslexeapplication" href="#"></a>
<h2 class="head"><span class="numb">4.4</span><span class="text">OPENSSL.EXE Application</span></h2>

<p> The OPENSSL.EXE application is a command line tool for using the various
cryptography functions of OpenSSL's crypto library from the shell.  It is
described being used several times in this section of the documentation. 
Refer to the OpenSSL Man page for descriptions of the various commands and
their syntax. 

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="https://www.openssl.org/docs/manmaster/man1/openssl.html">https://www.openssl.org/docs/manmaster/man1/openssl.html</a>
<li class="item"> <a class="link blank" target="_blank" href="https://wiki.openssl.org/index.php/Command_Line_Utilities">https://wiki.openssl.org/index.php/Command_Line_Utilities</a>
</ul>

<p> It is commonly used as a <span class="high italic">foreign verb</span> on VMS systems and
assigned during SYLOGIN.COM or LOGIN.COM and depends on the distribution and
version in use.  For example:

<ul class="list simple list0">
<li class="item"> &dollar; @SSL111&dollar;COM:SSL111&dollar;UTILS.COM
<li class="item"> &dollar; @OSSL&dollar;INSTROOT:[SYS&dollar;STARTUP]OPENSSL_UTILS0101.COM
</ul>

<p> A simple addition to SYLOGIN.COM or LOGIN.COM for WASD-specific OpenSSL
kits to assign the OPENSSL verb is:

<div class="blockof code">&dollar; @WASD_ROOT:[EXAMPLE]WASDVERBS.COM SSL
</div>

<a id="4.5" href="#"></a>
<a id="4.5.sslconfiguration" href="#"></a>
<a id="sslconfiguration" href="#"></a>
<h2 class="head"><span class="numb">4.5</span><span class="text">SSL Configuration</span></h2>

<p> The example server startup procedure already contains support for the SSL
executable.  If this has been used as the basis for startup then an SSL
executable will be started automatically, rather than the standard
executable. The SSL executable supports both standard HTTP services (ports) and
HTTPS services (ports).  These must be configured using the [service]
parameter.  SSL services are distinguished by specifying &quot;https:&quot; in the
parameter.  The default port for an SSL service is 443.

<p> WASD can configure services using the WASD_CONFIG_GLOBAL [SSL..]
directives, the per-service WASD_CONFIG_SERVICE [ServiceSSL..] directives, or
the /SSL= qualifier.  Configuration precedence is WASD_CONFIG_SERVICE, /SSL= and
finally WASD_CONFIG_GLOBAL.

<a id="4.5.1" href="#"></a>
<a id="4.5.1.wasdconfigservice" href="#"></a>
<a id="wasdconfigservice" href="#"></a>
<h3 class="head"><span class="numb">4.5.1</span><span class="text">WASD_CONFIG_SERVICE</span></h3>

<p> SSL service configuration using the WASD_CONFIG_SERVICE configuration is
slightly simpler, with a specific configuration directive for each aspect. (see
<a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
This example illustrates configuring the same services as used in the previous
section.

<div class="blockof code">[[http://alpha.example.com:80]]

[[https://alpha.example.com:443]]
[ServiceSSLversion]  TLSvALL
[ServiceSSLcert]  WASD_ROOT:[local]alpha.pem

[[https://beta.example.com:443]]
[ServiceSSLversion]  SSLv3
[ServiceSSLcert]  WASD_ROOT:[local]beta.pem
</div>

<a id="4.5.2" href="#"></a>
<a id="4.5.2.tlssslversions" href="#"></a>
<a id="tlssslversions" href="#"></a>
<h3 class="head"><span class="numb">4.5.2</span><span class="text">TLS/SSL Versions</span></h3>
<a id="4.5.2.0.0.1" href="#"></a>
<a id="4.5.2.sslversions" href="#"></a>
<a id="sslversions" href="#"></a>
<h6 class="head display0"><span class="text">SSL Versions</span></h6>

<p> As WASD uses the OpenSSL package in one distribution or another it largely
supports all of the capability of that underlying package. The obsolete SSLv2,
and the deprecated  SSLv3 are no longer accepted by default.  WASD default
comprise the TLS family of protocols, at the time of writing, <span class="high bold">TLSv1,
TLSv1.1, TLSv1.2 and TLSv1.3</span>.

<p> Some older clients employing SSLv3 may fail.  Symptoms are
dropped connection establishment and WATCH [x]SSL variously showing &quot;SSL
routines SSL<span class="high italic">n</span>_GET_RECORD wrong version number&quot;, &quot;SSL
routines SSL<span class="high italic">n</span>_GET_CLIENT_HELLO unknown protocol&quot;, possibly others. 
It is generally considered SSL best-practice not to have SSLv3 enabled but if
required may be supported by configuring WASD_CONFIG_GLOBAL [SSLversion] with
&quot;SSLv3,TLSvALL&quot;, the per-service WASD_CONFIG_SERVICE equivalent, or
using the /SSL=(SSLv3,TLSvALL) command line parameter during server startup.

<a id="4.5.2.0.1" href="#"></a>
<a id="4.5.2.tlsversion13" href="#"></a>
<a id="tlsversion13" href="#"></a>
<h5 class="head"><span class="text">TLS Version 1.3</span></h5>

<p> TLSv1.3 perhaps should have been designated TLSv2.0 and not be considered
as an incremental improvement over earlier versions of TLS but a significant
upgrade!

<ul class="list simple">

<li class="item"> <a class="link blank" target="_blank" href="https://wiki.openssl.org/index.php/TLS1.3">https://wiki.openssl.org/index.php/TLS1.3</a>

</ul>

<p> TLSv1.3 can be tested for as demonstrated at <a class="link" href="#4.8.testtlsversion13">&lsquo;test TLS Version 1.3&rsquo; in 4.8 SSL Service Evaluation</a>.

<a id="4.5.3" href="#"></a>
<a id="4.5.3.sslciphers" href="#"></a>
<a id="sslciphers" href="#"></a>
<h3 class="head"><span class="numb">4.5.3</span><span class="text">SSL Ciphers</span></h3>

<p> Ciphers are the algorithms, designed and implemented on mathematical
computations, that render the readable plaintext into unreadable ciphertext. 
Ciphers tend to be available in suites (or families) where variants, usually
based on key size and therefore resistence to decryption without a known key,
that browsers and otheragents negotiate on and accept when setting up a secure
(encrypted) network transports with servers.

<p> Cipher selection is important to the overall security of the supported
environment as well as the range of clients and servers that can establish
communication due to shared cipher suites.  Including only more recent
(and technically secure) ciphers can preclude older clients from establishing
secure connection, and including older (and perhaps more susceptible to modern
attack) ciphers increases site vunerability.  Some environments, for example
HTTP/2, are quite prescriptive regarding the secure connection, to the point of
blacklisting protocol versions and cipher suites no longer considered secure
enough. 

<p> Fortunately a number of sites provide cipher guidelines based on
requirements.  The Mozilla Developer Network provides these amongst other
useful information on security and server side TLS.

<p class="indent"> <a class="link blank" target="_blank" href="https://wiki.mozilla.org/Security/Server_Side_TLS">https://wiki.mozilla.org/Security/Server_Side_TLS</a>

<p> WASD has a default (built-in) functional cipher list that is general in
application and relevant to when it was compiled.  This in particular and site
cipher lists in general, should be reviewed from time to time as opinions and
requirements do change.

<p> Many agents (browsers) require the elliptic curve ciphers provided by
Forward Secrecy elements (<a class="link" href="#4.5.5.forwardsecrecy">4.5.5 Forward Secrecy</a>) to negotiate later TLS
versions.

<a id="4.5.3.0.0.1" href="#"></a>
<a id="4.5.3.ssloptions" href="#"></a>
<a id="ssloptions" href="#"></a>
<h6 class="head display0"><span class="text">SSL Options</span></h6>
<a id="4.5.3.0.0.2" href="#"></a>
<a id="4.5.3.tlsssloptions" href="#"></a>
<a id="tlsssloptions" href="#"></a>
<h6 class="head display0"><span class="text">TLS/SSL Options</span></h6>
<a id="4.5.3.0.0.3" href="#"></a>
<a id="4.5.3.openssloptions" href="#"></a>
<a id="openssloptions" href="#"></a>
<h6 class="head display0"><span class="text">OpenSSL Options</span></h6>
<a id="4.5.4" href="#"></a>
<a id="4.5.4.openssloptions" href="#"></a>
<a id="openssloptions" href="#"></a>
<h3 class="head"><span class="numb">4.5.4</span><span class="text">(Open)SSL Options</span></h3>

<p> The OpenSSL package provides for various options to be flagged against an
TLS/SSL service.  WASD sets the (OpenSSL) default options and then allows these to
be overwitten/set/reset using hexadecimal values representing bit patterns. 
OpenSSL defaults are suitable for most sites. 

<p> The SSL options directives in global and per-service configuration, and the
OPTIONS= keyword for the /SSL= qualifier, accept

<ul class="list simple list0">
<li class="item"> 0x<span class="high italic">XX</span> - overwrite the options field
<li class="item"> +0x<span class="high italic">XX</span> - set (logical OR) the specified bit(s)
<li class="item"> -0x<span class="high italic">XX</span> - reset (logical AND) the specified bit(s)
</ul>

<p> Alternatively, the following OpenSSL option mnemonics can be used with a
leading &quot;+&quot; to enable, or &quot;-&quot; to disable

<ul class="list simple list0">
<li class="item"> OP_ALL
<li class="item"> OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
<li class="item"> OP_CIPHER_SERVER_PREFERENCE
<li class="item"> OP_LEGACY_SERVER_CONNECT
<li class="item"> OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
<li class="item"> OP_NO_TICKET
<li class="item"> OP_SINGLE_DH_USE
<li class="item"> OP_TLS_ROLLBACK_BUG
</ul>

<a id="4.5.5" href="#"></a>
<a id="4.5.5.forwardsecrecy" href="#"></a>
<a id="forwardsecrecy" href="#"></a>
<h3 class="head"><span class="numb">4.5.5</span><span class="text">Forward Secrecy</span></h3>

<p> Forward secrecy, sometimes known as perfect forward secrecy (PFS), is a
property of key-agreement protocols ensuring that a session key derived from a
set of long-term keys cannot be compromised if one of the long-term keys is
compromised in the future.

<p class="indent"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Forward_secrecy">http://en.wikipedia.org/wiki/Forward_secrecy</a>

<p> OpenSSL supports forward secrecy using Diffie-Hellman key exchange with
elliptic curve cryptography and this relies on generating emphemeral keys based
on unique, safe prime numbers. These are expensive to generate and so this is
done infrequently, often during software build or installation. In the case of 
WASD, to maximise flexibility, these numbers are stored in external PEM-format
files, by default located in the WASD_ROOT:[LOCAL] directory. These files are
only briefly accessed during server startup SSL initialisation and the content
later used during network connection SSL negotiation to generate the required
ephemeral keys.

<p> PFS requires a small number of elements working in concert

<ul class="list list0">
<li class="item"> Ephemeral key generation
<li class="item"> Selection and ordering of server ciphers
<li class="item"> Ensuring the server determines the cipher used
(+OP_CIPHER_SERVER_PREFERENCE)
</ul>

<p> The detail is described in these references

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="https://community.qualys.com/blogs/securitylabs/2013/06/25/\ssl-labs-deploying-forward-secrecy">https://community.qualys.com/blogs/securitylabs/2013/06/25/\ssl-labs-deploying-forward-secrecy</a>
<li class="item"> <a class="link blank" target="_blank" href="https://community.qualys.com/blogs/securitylabs/2013/08/05/\configuring-apache-nginx-and-openssl-for-forward-secrecy">https://community.qualys.com/blogs/securitylabs/2013/08/05/\configuring-apache-nginx-and-openssl-for-forward-secrecy</a>
</ul>

<div class="note center"><a id="4.5.5.0.0.1" href="#"></a>
<a id="4.5.5.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

Ephemeral keys are supported beginning with WASD v10.4.1.
<hr class="note_hr">
</div>

<p> Executing the WASD OpenSSL procedure

<div class="blockof code">&dollar; @CREATE_EPHEMERAL_DH_PARAM
</div>
 will generate site-unique files containing 512, 1024 and 2048 bit primes,
and optionally copy those files to the WASD_ROOT:[LOCAL] directory. The [.CERT]
directory contains files that could be used but unique, locally generated
primes are preferable.

<p> Alternatively, generated directly at the command-line using the OpenSSL
<span class="high italic">dhparam</span> utility, as in these examples;

<div class="blockof code">&dollar; openssl dhparam -out dh_param_512.pem 512
&dollar; openssl dhparam -out dh_param_1024.pem 1024
&dollar; openssl dhparam -out dh_param_2048.pem 2048
</div>

<div class="note center"><a id="4.5.5.0.0.2" href="#"></a>
<a id="4.5.5.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

Key generation can take some considerable time!
<hr class="note_hr">
</div>

 The file(s) must be located in the WASD_ROOT:[LOCAL] directory and the
file names use the format DH_PARAM_<span class="high italic">number-of-bits</span>.PEM

<p> Alternatively, files containing emphemeral keys generated freshly with
each release, may be copied from the WASD OpenSSL package using

<div class="blockof code">&dollar; COPY WASD_ROOT:[SRC.OPENSSL-n_n_n.WASD.CERT]DH_PARAM_*.PEM WASD_ROOT:[LOCAL]
</div>

<a id="4.5.6" href="#"></a>
<a id="4.5.6.sessionresumption" href="#"></a>
<a id="sessionresumption" href="#"></a>
<h3 class="head"><span class="numb">4.5.6</span><span class="text">Session Resumption</span></h3>


<p> When a TLS/SSL connection is initiated an expensive handshake (in terms of
time and compute) is required to establish the cryptographic and other elements
of the connection.  Mitigation of this expense is undertaken by allowing the
resumption of a previous session (abbreviating the handshake exchanges) using
connection state stored either at the server or at the client.

<ul class="list">


<li class="item"> <span class="high bold">Session Ticket</span>

<p> This TLS extension provides the connection state to the client, encrypted
with keys available only to the server.  The client stores the (encrypted)
state and when (re-)connecting to the server provides that ticket in the
initial part of the handshake.  The server decrypts the ticket and if valid
expedites the connection by resuming the previously negotiated session.  This
is the more modern, almost universally supported mechanism and is generally
enabled by default.

<p> Session tickets introduce a potential vulnerability to TLS security, in
particular to the benefits of Forward Secrecy (PFS).  If the ticket can be
compromised, through theft of the keys or brute-force decryption attack, the
entire session becomes vulnerable to attack.  It is therefore advised to
periodically rotate (change) the keys used by the server to encrypt the
tickets.  WASD does this every (RFC recommended) 24 hours, at midnight (local
time).

<p> Where a site is provided by multiple servers and connections distributed
between these, session resumption using tickets relies on each server using the
same keys.  The current keys must be distributed to each server (using a secure
mechanism) and this performed every time the keys are rotated.  WASD uses the
DLM to perform this for multiple per-node and cluster-wide instances as
applicable.

<li class="item"> <span class="high bold">Session ID</span>

<p> In a full handshake the server sends a Session ID (unique, non-repeating
value) as part of the handshake.  On a subsequent connection the client can
pass this session ID back to the server when connecting.  To support session 
resumption via session IDs the server must maintain a cache that maps past
session IDs to those sessions' states.  The cache has limited capacity and is
expensive for the server to maintain.  If the session ID is still available in
the cache the session can be resumed.  This is the original session resumption
mechanism.

<p> Where a single WASD instance is involved the session cache is implemented
in-memory.  With multiple instances on a single node it is provided across
those instances using a shared global section.  The cacpacity of this shared
cache is determined by the WASD_CONFIG_GLOBAL directives [SSLinstanceCacheMax]
and [SSLinstanceCacheSize] directives.  There is no cluster-wide session cache. 
When multiple instances are in use the shared session cache is enabled by
default.  Session ID caching may be globally disabled by setting
[SSLsessionCacheMax] to -1.

</ul>

<p> With Session Tickets being the more modern, flexible and efficient solution
to session resumption (and being available cluster-wide) it is recommended that
WASD sites disable Session ID caching.

<p> The default maximum period for session reuse is five
minutes.  This may be set globally using the [SSLsessionLifetime] directive or
on a per-service basis using [ServiceSSLsessionLifetime].

<p> To some extent, the relatively long-lived connections and lower concurrency
with HTTP/2 means the importance of session resumption in improving request
latency and connection overhead is reduced.

<a id="4.5.7" href="#"></a>
<a id="4.5.7.stricttransportsecurity" href="#"></a>
<a id="stricttransportsecurity" href="#"></a>
<h3 class="head"><span class="numb">4.5.7</span><span class="text">Strict Transport Security</span></h3>

<p> HTTP Strict Transport Security (HSTS) is a security policy mechanism
which helps protect sites against protocol downgrade attack and cookie
hijacking.  It allows web servers to declare that browsers and other complying
agents should only interact using secure (TLS) HTTP connections and never via
clear-text HTTP.  HSTS is an IETF standard specified in RFC 6797.

<p> When global configuration directive [SSLstrictTransSec] is non-zero, or
per-service configuration directive [ServiceSSLstrictTransSec] is non-zero, or
a path is <span class="high italic">SET response=sts=&lt;value&gt;</span>, TLS/SSL HTTP
responses include a &quot;Strict-Transport-Security:
max-age=<span class="high italic">seconds</span>&quot; header field.  Conforming agents note this period
and refuse to communicate with the site via clear-text HTTP for the period
represented by the integer number of seconds specified.

<a id="4.5.8" href="#"></a>
<a id="4.5.8.sslservercertificate" href="#"></a>
<a id="sslservercertificate" href="#"></a>
<h3 class="head"><span class="numb">4.5.8</span><span class="text">SSL Server Certificate</span></h3>

<p> The server certificate is used by the browser to authenticate the server
against the server certificate Certificate Authority (CA), in making a secure
connection, and in establishing a trust relationship between the browser and
server.  By default this is located using the WASD_CONFIG_GLOBAL [SSLcert] or
WASD_CONFIG_SERVICE [ServiceSSLcert] configuration directive, the
WASD_CONFIG_SSL_CERT logical name, or using the /SSL= command-line qualifier,
however if required.  Each SSL service can have an individual certificate
configured as in the example above.

<a id="4.5.9" href="#"></a>
<a id="4.5.9.sslprivatekey" href="#"></a>
<a id="sslprivatekey" href="#"></a>
<h3 class="head"><span class="numb">4.5.9</span><span class="text">SSL Private Key</span></h3>

<p> The <span class="high italic">private key</span> is used to validate and enable the server
certificate.  A  private key is enabled using a <span class="high italic">secret</span>, a password. 
It is common practice to embed this (encrypted) password within the private key
data.  This private key can be appended to the server certificate file, or it
can be supplied separately.  If provided separately it can be located using the
WASD_CONFIG_GLOBAL [SSLkey] or WASD_CONFIG_SERVICE [ServiceSSLkey] configuration
directive, tor using the WASD_CONFIG_SSL_KEY logical.  When the password is
embedded in the private key information it becomes vulnerable to being stolen
as an enabled key.  For this reason it is possible to provide the password
separately and manually.

<p> If the password key is not found with the key during startup the server
will request that it be entered at the command-line.  This request is made via
the HTTPDMON &quot;STATUS:&quot; line
(see
<a class="link blank" target="_blank" href="../config/#opcomlogging">OPCOM Logging</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>),
and if any OPCOM category is enabled via an operator message.  If the private
key password is not available with the key it is recommended  that OPCOM be
configured, enabled and monitored at all times.

<p> When a private key password is requested by the server it is supplied using
the /DO=SSL=KEY=PASSWORD directive (<a class="link" href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a>).  This must be
used at the command line on the same system as the server is executing.  The
server then prompts for the password.

<div class="blockof code">Enter private key password []:
</div>
 The password is not echoed.  When entered the password is securely 
supplied to the server and startup progresses.  An incorrect password will be
reprompted for twice (i.e. up to three attempts are allowed) before the startup
continues with the particular service not configured and unavailable.  Entering
a password consisting of all spaces will cause the server to abort the full
startup and exit from the system.

<a id="4.5.10" href="#"></a>
<a id="4.5.10.sslvirtualservices" href="#"></a>
<a id="sslvirtualservices" href="#"></a>
<h3 class="head"><span class="numb">4.5.10</span><span class="text">SSL Virtual Services</span></h3>

<p> Multiple virtual SSL services (https:) sharing the same or individual
certificates (and  other characteristics) can essentially be configured against
any host name (unique IP address or host name alias) and/or port in the same
way as standard services (http:).

<p> WASD SSL implements <span class="high bold">Server Name Indication</span> (SNI), an
extension to the TLS protocol that indicates what hostname the client is
attempting to connect to at the start of the handshaking process.  This allows
a server to present multiple certificates on the same IP address and port
number and hence allows multiple secure (HTTPS) websites (or any other Service
over TLS) to be served off the same IP address without requiring all those
sites to use the same certificate.

<p> When the client presents an SNI server name during SSL connection
establishment, WASD searches the list of services it is offering for an SSL
service (the first hit) operating with a name matching the SNI server name.  If
matched, the SSL context (certificate, etc.) of that service is used to
establish the connection.  If not matched, the service the TCP/IP connection
originally arrived at is used.

<a id="4.5.11" href="#"></a>
<a id="4.5.11.sslaccesscontrol" href="#"></a>
<a id="sslaccesscontrol" href="#"></a>
<h3 class="head"><span class="numb">4.5.11</span><span class="text">SSL Access Control</span></h3>

<p> When authorization is in place (<a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a>)
access to username/password controlled data/functionality benefits enormously
from the privacy of an authorization environment inherently secured via the
encrypted communications of SSL.  In addition there is the possibility of
authentication via client X.509 certification (<a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a>).  SSL may be used as part of the site's access control
policy, as whole-of-site, see <a class="link" href="#3.2.authenticationpolicy">3.2 Authentication Policy</a>, or on a per-path
basis (see <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<a id="4.5.12" href="#"></a>
<a id="4.5.12.authorizationusingx509certification" href="#"></a>
<a id="authorizationusingx509certification" href="#"></a>
<h3 class="head"><span class="numb">4.5.12</span><span class="text">Authorization Using X.509 Certification</span></h3>

<p> The server access control functionality (authentication and authorization)
allows the use of <span class="high italic">public key infrastructure</span> (PKI) X.509 v3 client
certificates for establishing  identity and based on that apply authorization
constraints.  See <a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a> for general
information on WASD authorization and <a class="link" href="#3.4.authorizationconfigurationfile">3.4 Authorization Configuration File</a>
for configuring a X509 realm.  <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a> provides
introductory references on public-key cryptography and PKI. 

<p> A client certificate is stored by the browser.  During an SSL transaction
the server can request that such a certificate be provided.  For the initial
instance of such a request the browser activates a dialog requesting the user
select one of any certificates it has installed.  If selected it is transmitted 
securely to the server which will usually (though optionally not) authenticate
its Certificate Authority to establish its integrity.  If accepted it can
then be used as an authenticated identity.  This obviates the use of
username/password dialogs.

<div class="note">
<a id="4.5.12.0.1" href="#"></a>
<a id="4.5.12.important" href="#"></a>
<a id="important" href="#"></a>
<h5 class="head center"><span class="text">Important</span></h5>
<hr class="note_hr">
Neither username/password nor certificate-based authentication addresses
security issues related to access to individual machines and stored
certificates, or to password confidentiality.  Public-key cryptography only
verifies that a private key used to sign some data corresponds to the public
key in a certificate.  It is a user responsibility to protect a machine's
physical security and to keep private-key passwords secret.
<hr class="note_hr">
</div>

<p> The initial negotiation and verification of a client certificate is a
relatively resource intensive process.  Once established however, OpenSSL
sessions are usually either stored in a cache or stored encrypted withing the
client, reducing subsequent request overheads significantly.  Each session has
a specified expiry period after which the client is forced to negotiate a new
session.  This period is adjustable using the &quot;[LT:integer]&quot; and
&quot;[TO:integer]&quot; directives described below.

<a id="4.5.13" href="#"></a>
<a id="4.5.13.x509certificaterenegotiation" href="#"></a>
<a id="x509certificaterenegotiation" href="#"></a>
<h3 class="head"><span class="numb">4.5.13</span><span class="text">X.509 Certificate Renegotiation</span></h3>

<p> An X.509 client certificate is requested at either TLS/SSL connection
establishment (WASD_CONFIG_GLOBAL [SSLverifyPeer], WASD_CONFIG_SERVICE
[ServiceSSLverifyPeer]) or once the request has been made and assessed against
authorisation rules.  If an X509 realm controls access to the resources then
the TLS/SSL connection is queried for an X.509 client certificate to
authenticate the client and authorise the access.

<p> This is performed via a TLS/SSL renegotiation and for this the connection
must have been cleared of request data.  In the case of a HEAD, GET, OPTIONS,
etc. request, this already has implicitly occurred by there being no request
body.  For POST, PROPFIND, PUT, etc. requests, the client most likely already
will be transmitting the request body.  This (<span class="high italic">application data</span>) must
be absorbed before the client certificate renegotiation can be performed.

<p> In avoiding disruption to the current request, any request body must be
buffered (in full, based on the content length specified in the header) before
issuing the renegotiation.  This consumes memory and potentially large
quantities.  The default maximum buffer space is 1MB.  The maximum request body
size and hence maximum memory accomodated can be configured using the
per-service WASD_CONFIG_SERVICE [ServiceSSLverifyDataMax] directive, or the
global WASD_CONFIG_GLOBAL configuration directive [SSLverifyDataMax].

<p> Where a request with a body exceeds the maximum allowed buffer space the
authorisation fails.  This can be observed using WATCH.  Where very large files
are being sent the only solution is to first authenticate with a request
without a body (e.g. using OPTIONS) then using the persistent connection and
associated X.509 authentication perform the PUT or POST.

<a id="4.5.14" href="#"></a>
<a id="4.5.14.features" href="#"></a>
<a id="features" href="#"></a>
<h3 class="head"><span class="numb">4.5.14</span><span class="text">Features</span></h3>

<p> WASD provides a range of capabilities when using X.509 client certificates.

<ul class="list">

<li class="item"> <span class="high bold">By Service &ndash; </span> all SSL connections to such a
service will be requested to supply a client certificate during the initial SSL
handshake.  This is more efficient than requesting later in the transaction, as
happens with per-resource authorization.  A client cannot connect successfully
to this type of service without supplying an acceptable certificate.
                 
<li class="item"> <span class="high bold">By Resource &ndash; </span> using authorization rules in the WASD_CONFIG_AUTH file
specifying a path against an [X509] realm causes the server to suspend request
processing and renegotiate with the client to supply a certificate.  If a
suitable certificate is supplied the request authorization continues with
normal processing.  This obviously incurs an additional network transaction.

<li class="item"> <span class="high bold">Optional access control &ndash; </span> once an acceptable certificate is supplied
it can be subject to further access control by matching against its contents. 
The <span class="high italic">Issuer</span> (CA) and the <span class="high italic">Subject</span> (client) <span class="high italic">Distinguished Name</span> (DN) has
various  components including the name of the organization providing the
certificate (e.g. &quot;VeriSign&quot;, &quot;Thawte&quot;), location, common name, email address,
etc.  Those certificates matching or not matching the parameters are allowed or
denied access.

<li class="item"> <span class="high bold">Certificate verification &ndash; </span> by default supplied certificates have
their CA verified by comparing to a list of recognised CA certificates stored
in a server configuration file.  If the CA component of the client certificate
cannot be verified the connection is terminated before the HTTP request can
begin.  Although this is obviously required behaviour for authentication there
may be other circumstances where verification is not required, a certificate
content display service for instance.  WASD optionally allows non-verified
certificates to be used on a per-resource basis.

<li class="item"> <span class="high bold">&quot;Fingerprint&quot; REMOTE_USER &ndash; </span> when a certificate is accepted by the
server it generates a unique <span class="high italic">fingerprint</span> of the certificate.  By default,
this 32 digit hexadecimal number is used by the server as an <span class="high italic">effective
username</span>, one that would normally be supplied via a  username/password dialog
(as an alternative see the section immediately below).  This effective username
becomes that available via the CGI variable REMOTE_USER.  Although a 32 digit
number is not particularly site-administrator friendly it is a <span class="high under">unique</span>
representation (MD5 digest) of the individual certificate and can be used in
WASD_CONFIG_AUTH access-restriction directives and included in group lists and
databases for full WASD authorization control.

<li class="item"> <span class="high bold">CN/DN record REMOTE_USER &ndash; </span> provides an alternative to using a
&quot;fingerprint&quot; REMOTE_USER.  Using the [RU:/<span class="high italic">record</span>=] conditional (see below)
is becomes possible to specify that the remote-user string be obtained from the
specified record of the client certificate subject field.  Note that there is a
(fairly generous) size limitation on the user name and that any white-space in
such a record is converted to underscores.  Although any record can be used the
more obvious candidates are /O=, /OU=, /CN=, /S=, /UID= and /EMAIL=.  Note that
(even with the default CA verfication) the certificate CAs that this is
possible against should be further constrained through the use of a
[IS:/<span class="high italic">record</span>=<span class="high italic">string</span>] conditional (see example below).

<li class="item"> <span class="high bold">Subject Alternative Name REMOTE_USER &ndash; </span>  a common X509 V3 extension
for providing identifying data in a certificate, can also be used to derive the
remote user string.

<li class="item"> <span class="high bold">X509 extension REMOTE_USER &ndash; </span> 
the content of any other extension field suitably filtered.

</ul>

<a id="4.5.15" href="#"></a>
<a id="4.5.15.subjectalternativenameandotherextensions" href="#"></a>
<a id="subjectalternativenameandotherextensions" href="#"></a>
<h3 class="head"><span class="numb">4.5.15</span><span class="text">Subject Alternative Name and Other Extensions</span></h3>

<p> The basic syntax for this field is the full extension name, and the
short-hand equivalent.

<div class="blockof code">[X509]
/VMS/* r+w,param=&quot;[ru:X509v3_subject_Alternative_Name]&quot;
/VMS/* r+w,param=&quot;[ru:X509v3_SAN]&quot;
</div>

<p> The Subject Alternative Name (SAN) extension (in common with many others)
may contain multiple data elements, each with a leading name, a colon, and a
(if multi line) carriage-control terminated value.  WASD parses these into
unqiue fields using keywords fixed in function SesolaCertKeyword() and the site
configurable logical name WASD_X509_EXTENSION_KEYWORDS value.  To select one of
these fields, for example the common (Microsoft) user principal name (UPN),
append the required field name to the extension name as shown in the following
example (includes &quot;shorthand&quot; equivalents, along with the underscore and equate
variants). Note that the identifying name match is not case sensitive.

<div class="blockof code">[X509]
/VMS/* r+w,param=&quot;[ru:X509V3_Subject_Alternative_Name_UserPrincipalName]&quot;
/VMS/* r+w,param=&quot;[ru:X509V3_Subject_Alternative_Name=UserPrincipalName]&quot;
/VMS/* r+w,param=&quot;[ru:X509v3_SAN_UPN]&quot;
/VMS/* r+w,param=&quot;[ru:X509v3_SAN=UPN]&quot;
/VMS/* r+w,param=&quot;[ru:X509V3_Subject_Alternative_Name_rfc822Name]&quot;
/VMS/* r+w,param=&quot;[ru:X509V3_Subject_Alternative_Name=rfc822Name]&quot;
/VMS/* r+w,param=&quot;[ru:X509v3_SAN_822]&quot;
/VMS/* r+w,param=&quot;[ru:X509v3_SAN=822]&quot;
</div>

<p> Object Identifiers (OIDs) may be used for either record and field name (if
an unknown otherName) by prefixing with &quot;OID_&quot;.  For example, the SAN
may be alternatively selected, and the (Microsoft) UPN, as in the following
examples.

<div class="blockof code">/VMS/* r+w,param=&quot;[ru:OID_2_5_29_17]&quot;
/VMS/* r+w,param=&quot;[ru:OID_2_5_29_17_UPN]&quot;
/VMS/* r+w,param=&quot;[ru:OID_2_5_29_17=UPN]&quot;
/VMS/* r+w,param=&quot;[ru:X509v3_SAN_OID_1_3_6_1_20_2_3]&quot;
/VMS/* r+w,param=&quot;[ru:X509v3_SAN_OID=1_3_6_1_20_2_3]&quot;
</div>

<a id="4.5.15.0.1" href="#"></a>
<a id="4.5.15.extensionvisibility" href="#"></a>
<a id="extensionvisibility" href="#"></a>
<h5 class="head"><span class="text">Extension Visibility</span></h5>

<p> X509 certificate extensions are in general visible from WATCH and
accessible via CGI variables (when enabled using SET
<span class="high italic">SSLCGI=apache_mod_ssl_extens</span> and
<span class="high italic">SSLCGI=apache_mod_ssl_client</span> path mappings).  
The identifying names derived from X509 extensions are built of the
alphanumerics in the element names.  Non-alphanumerics (e.g. spaces) have
underscores substituted.   Multiple underscores are compressed into singles. 
Where elements have identical names the first multiple has TWO underscores and
the digit two appended, the second mutiple, two underscores and three appended,
etc.

<a id="4.5.16" href="#"></a>
<a id="4.5.16.x509configuration" href="#"></a>
<a id="x509configuration" href="#"></a>
<h3 class="head"><span class="numb">4.5.16</span><span class="text">X509 Configuration</span></h3>


<p> Of course, the WASD OpenSSL component must be installed and in use to apply
client X.509 certificate authorization.  There is general server setup, then
per-service and per-resource configuration.

<a id="4.5.16.0.1" href="#"></a>
<a id="4.5.16.generalsetup" href="#"></a>
<a id="generalsetup" href="#"></a>
<h5 class="head"><span class="text">General Setup</span></h5>

<p> Client certificate authorization has reasonable defaults.  If some aspect
requires site refinement the WASD_CONFIG_GLOBAL [SSL..] directives (see
<a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
or command-line /SSL= qualifier parameters can provide per-server defaults.

<ul class="list list0">
<li class="item"> (CACHE=integer) sets the session size (128 entries by default)
<li class="item"> (CAFILE=file-name) sets the location of the CA verification store file
(also can be set via WASD_CONFIG_SSL_CAFILE logical).
<li class="item"> (TIMEOUT=integer) sets the session expiry period in minutes (5 by
default)
<li class="item"> (VERIFY=integer) sets the depth to which client certificate CAs are
verified (default is 10)
</ul>

<p> The location of the CA verification file can also be determined using the
logical name WASD_CONFIG_SSL_CAFILE.  The order of precedence for using these
specifications is

<ol class="list list0">
<li class="item"> per-service configuration using WASD_CONFIG_SERVICE or
WASD_CONFIG_GLOBAL
<li class="item"> per-server using /SSL=CAFILE=filename
<li class="item"> per-server using WASD_CONFIG_SSL_CAFILE
</ol>

<a id="4.5.16.0.2" href="#"></a>
<a id="4.5.16.byservice" href="#"></a>
<a id="byservice" href="#"></a>
<h5 class="head"><span class="text">By Service</span></h5>

<p> The WASD_CONFIG_SERVICE directive is provided for per-service CA file
specification, if necessary allowing different services to accept a different
mix of CAs.

<div class="blockof code">[[https://the.example.com:443]]
[ServiceSSLVerifyPeer]  enabled
[ServiceSSLVerifyPeerCAfile]  WASD_ROOT:[LOCAL]CA_THE_HOST_NAME.TXT
</div>

<a id="4.5.16.0.3" href="#"></a>
<a id="4.5.16.byresource" href="#"></a>
<a id="byresource" href="#"></a>
<h5 class="head"><span class="text">By Resource</span></h5>

<p> Client certificate authorization is probably most usefully applied on a
per-resource (per-request-path) basis using WASD_CONFIG_AUTH configuration file
rules.  Of course, per-resource control also applies to services that always
require a client  certificate (the only difference is the certificate has
already been negotiated for during the initial connection handshake).  The
reserved realm name &quot;X509&quot; activates client certificate authentication
when a rule belonging to that realm is triggered.  The following example shows
such a rule providing read access to those possessing any verified certificate.

<div class="blockof code">[X509]
/path/requiring/cert/* r
</div>

<p> Optional directives may be supplied to the X.509 authenticator controlling
what mode the certificate is accepted in, as well a further access-restriction
rules on specifically which certificates may or may not be accepted for
authorization.  Such directives are passed via the &quot;param=&quot; mechanism.
The following real-life example shows a script path requiring a mandatory
certificate, but not necessarily having the CA verified.  This would allow a
certificate display service to be established, the &quot;[to:EXPIRED]&quot;
directive forcing the client to explicitly select a certificate with each
access.

<div class="blockof code">[X509]
/cgi-bin/client_cert_details r,param=&quot;[vf:OPTIONAL][to:EXPIRED]&quot;
</div>

<p> A number of such directives are available controlling some aspects of the
certificate negotiation and verification.  The &quot;[LT:integer]&quot; directive
causes a verified certificate selection to continue to be valid for the
specified period as long as requests continue during that period (lifetime is
reset with each access).

<ul class="list list0">
<li class="item"> [DP:integer] verify certificate CA chain to this depth (default 10)
<li class="item"> [LT:integer] verified certificate lifetime in minutes (disabled by default)
<li class="item"> [RU:/record=] derive the remote-user name from the specified certificate
subject field DN record
<li class="item"> [TO:integer] session cache entry timeout in minutes (default 5)
<li class="item"> [TO:EXPIRED] session cache entry is forced to expire (initating
renegotiation)
<li class="item"> [VF:NONE] no certificate is required (any existing is cancelled)
<li class="item"> [VF:OPTIONAL] certificate is required, CA verification is not required
<li class="item"> [VF:REQUIRED] the certificate must pass CA verification (the default) 
</ul>

<p> Optional &quot;param=&quot; passed conditionals may also be used to provide
additional filtering on which certificates may or may not be used against the
particular path.  This is based on pattern matching against client certificate
components.

<ul class="list list0">
<li class="item"> [CI:string] transaction cipher
<li class="item"> [IS:/record=string] specified Issuer (CA) DN record only
<li class="item"> [IS:string] entire Issuer (CA) DN
<li class="item"> [KS:integer] minimum key size
<li class="item"> [SU:/record=string] specified Subject (client) DN record only
<li class="item"> [SU:string] entire Subject (client) DN
</ul>

<p> These functions can be used in a similar fashion to mapping rule
conditionals (see 
<a class="link blank" target="_blank" href="../config/#conditionalconfiguration">Conditional Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
This includes the logical ORing, ANDing and negating of conditionals.  Asterisk
wildcards match any zero or more characters, percent characters any single
character.  Matching is case-insensitive.

<p> Note that the &quot;IS:&quot; and &quot;SU:&quot; conditionals each have a
<span class="high italic">specific-record</span> and an <span class="high italic">entire-field</span> mode.  If the
conditional string begins with a slash then it is considered to be a  match
against a specified record contents within the field.  If it begins with a
wildcard then it is matched against the entire field contents.  Certificate DN
records recognised by WASD,

<ul class="list simple list0">
<li class="item"> <span class="high bold italic">C=</span> countryName
<li class="item"> <span class="high bold italic">ST=</span> stateOrProvinceName
<li class="item"> <span class="high bold italic">SP=</span> stateOrProvinceName
<li class="item"> <span class="high bold italic">L=</span> localityName
<li class="item"> <span class="high bold italic">O=</span> organizationName
<li class="item"> <span class="high bold italic">OU=</span> organizationalUnitName
<li class="item"> <span class="high bold italic">CN=</span> commonName
<li class="item"> <span class="high bold italic">T=</span> title
<li class="item"> <span class="high bold italic">I=</span> initials
<li class="item"> <span class="high bold italic">G=</span> givenName
<li class="item"> <span class="high bold italic">S=</span> surname
<li class="item"> <span class="high bold italic">D=</span> description
<li class="item"> <span class="high bold italic">UID=</span> uniqueIdentifier
<li class="item"> <span class="high bold italic">Email=</span> pkcs9_emailAddress
</ul>

<p> The following (fairly contrived) examples provide an illustration of the
basics of X509 conditionals.  When matching against Issuer and Subject DNs some
knowlege of their contents and structure is required (see
<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a> for some basic resources).

<div class="blockof code">[X509]
# only give &quot;VeriSign&quot;ed ones access
/controlled/path1/* r+w,param=&quot;[IS:/O=VeriSign\ Inc.]&quot;
# only give non-&quot;VeriSign&quot;ed ones access
/controlled/path2/* r+w,param=&quot;[!IS:/O=VeriSign\ Inc.]&quot;
# only allow 128 bit keys using RC4-MD5 access
/controlled/path3/* r+w,param=&quot;[KS:128][CI:RC4-MD5]&quot;
# only give a &quot;Thawte&quot;-signed client based in Australia
# with the following email address access
/controlled/path4/* r+w,param=&quot;\
[IS:*/O=Thawte\ Consulting\ cc/*]\
[SU:*/C=AU/*/Email=mark.daniel@wasd.vsm.com.au*]&quot;
# use the subject DN common-name record as the remote-user name
# furthermore, restrict the CA's allowed to be used this way
/VMS/* r+w,param=&quot;[RU:/CN=][IS:/O=WASD\ CA\ Cert]&quot;
</div>

<p> Of course, access control via group membership is also available.  The
<span class="high italic">effective username</span> for the list is the 32 digit fingerprint of the client
certificate (shown as REMOTE_USER IN the first example of <a class="link" href="#4.5.18.x509authorizationcgivariables">4.5.18 X.509 Authorization CGI Variables</a>), or the Subject DN record as specified using the
[RU:/<span class="high italic">record</span>=] directive.  This may be entered into simple lists as part of
a group of which membership then controls access to the resource.  The
following examples show the contents of simple list files containing the X.509
fingerprints, derived remote-user names, and the required WASD_CONFIG_AUTH
realm entries. 

<div class="blockof code"># FINGERPRINTS.&dollar;HTL
# (a file of X.509 fingerprints for access to &quot;/path/requiring/cert/&quot;)
106C8342890A1703AAA517317B145BF7  mark.daniel@wasd.vsm.com.au
6ADA07108C20338ADDC3613D6D8B159D  just.another@where.ever.com

# CERT_CN.&dollar;HTL
# (a file of X.509 remote-user names derived using [RU:/CN=]
Mark_Daniel mark.daniel@wasd.vsm.com.au
Just_Another just.another@where.ever.com

[X509;FINGERPRINTS=list]
/path/requiring/cert/* r+w

[X509;CERT_CN=list]
/path/requiring/cn/* r+w
</div>

<p> In a similar fashion the effective username can be placed in an access
restriction list.  The following configuration would only allow the user of
the certificate access to the specified resources.  Other verified certificate
holders would be denied access.

<div class="blockof code">[X509]
/httpd/-/admin/* ~106C8342890A1703AAA517317B145BF7,r+w
/wasd_root/local/* ~106C8342890A1703AAA517317B145BF7,r+w

/other/path/* ~Mark_Daniel,r+w,param=&quot;[ru:/cn=]&quot;
/yet/another/path/* ~Just_Another,r+w,param=&quot;[ru:/cn=]&quot;
</div>

<a id="4.5.17" href="#"></a>
<a id="4.5.17.certificateauthorityverificationfile" href="#"></a>
<a id="certificateauthorityverificationfile" href="#"></a>
<h3 class="head"><span class="numb">4.5.17</span><span class="text">Certificate Authority Verification File</span></h3>


<p> For the CA certificate component of the client certificate to be verified
as being what it claims to be (and thus establishing the integrity of the
client certificate) a list of such certificates must be provided for comparison
purposes.  For WASD this list is contained in a single, plain-text file
variously specified using either the WASD_CONFIG_SSL_CAFILE logical or
per-service &quot;[ServiceSSLclientCAfile]&quot; directives, or the global
[SSLverifyPeerCAFile] directive.

<p> Copies of CA certificates are available for such purposes.  The PEM copies
(base-64 encoded versions of the binary certificate) can be placed into this
file using any desired text editor.  Comments may be inserted by prefixing with
the &quot;#&quot; character.  For WASD this would be best stored in the
WASD_ROOT:[LOCAL] directory, or site equivalent.

<p> An example of how such a file appears is provided below (bulk of the file
has been 8&lt; snipped 8&lt; for bevity).

<div class="blockof code">##
## Bundle of CA Root Certificates
##
## Certificate data from Mozilla as of: Wed Jan 18 04:12:05 2017 GMT
##
## This is a bundle of X.509 certificates of public Certificate Authorities
## (CA). These were automatically extracted from Mozilla's root certificates
## file (certdata.txt).  This file can be found in the mozilla source tree:
## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
##
## It contains the certificates in PEM format and therefore
## can be directly used with curl / libcurl / php_curl, or with
## an Apache+mod_ssl webserver for SSL client authentication.
## Just configure this file as the SSLCACertificateFile.
##
## Conversion done with mk-ca-bundle.pl version 1.27.
## SHA256: dffa79e6aa993f558e82884abf7bb54bf440ab66ee91d82a27a627f6f2a4ace4
##


GlobalSign Root CA
==================
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx
GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds
b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV
BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD
VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa
DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc
THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb
Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP
c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX
gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF
AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj
Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG
j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH
hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC
X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
<span class="high italic">8&lt; snip 8&lt;</span>
</div>

<p> The WASD OpenSSL package provides an example CA verification file.
The exact date and source can be found in the opening commentary of the file
itself.  The contents of this file easily can be pared down to the minimum
certificates required for any given site.

<p> The bundle may be refreshed at any time using any reliable source.  The
cURL project provides such a resource suitable for its own use, Apache mod_ssl
and WASD.  This is sourced from the root certificates used by the Mozilla
Foundation for its Firefox product (and others).  Mozilla uses a non-PEM format
source which must be converted before use by WASD.  The cURL site provides this
already converted for use with its own utility and made available as a general
resource.

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="http://curl.haxx.se/">http://curl.haxx.se/</a>
<li class="item"> <a class="link blank" target="_blank" href="http://curl.haxx.se/docs/caextract.html">http://curl.haxx.se/docs/caextract.html</a>
</ul>

<p> Download the bundle using a command-line tool as in this example

<div class="blockof code">&dollar; curl -o ca-bundle_crt.txt https://curl.haxx.se/ca/cacert.pem
</div>

or as a save-as dialogue click from your favourite browser and then a
transfer onto the VMS system.

<ul class="list simple">
<li class="item"> <a class="link blank" target="_blank" href="https://curl.haxx.se/ca/cacert.pem">https://curl.haxx.se/ca/cacert.pem</a>
</ul>

<a id="4.5.18" href="#"></a>
<a id="4.5.18.x509authorizationcgivariables" href="#"></a>
<a id="x509authorizationcgivariables" href="#"></a>
<h3 class="head"><span class="numb">4.5.18</span><span class="text">X.509 Authorization CGI Variables</span></h3>

<p> CGI variables specific to client certificate authorization are always
generated for use by scripts and SSI documents.  These along with the general
WASD authorization variables are shown in the example below.  Note, that due to
length of particular items some in this example are displayed wrapped.

<div class="blockof code">WWW_AUTH_ACCESS == &quot;READ+WRITE&quot;
WWW_AUTH_GROUP == &quot;&quot;
WWW_AUTH_REALM == &quot;X509&quot;
WWW_AUTH_REALM_DESCRIPTION == &quot;X509 Client Certs&quot;
WWW_AUTH_TYPE == &quot;X509&quot;
WWW_AUTH_USER == &quot;Mark Daniel, mark.daniel@wasd.vsm.com.au&quot;
WWW_AUTH_X509_CIPHER == &quot;RC4-MD5&quot;
WWW_AUTH_X509_FINGERPRINT == &quot;10:6C:83:42:89:0A:17:03:AA:A5:17:31:7B:14:5B:F7&quot;
WWW_AUTH_X509_ISSUER == &quot;/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. By
Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not
Validated&quot;
WWW_AUTH_X509_KEYSIZE == &quot;128&quot;
WWW_AUTH_X509_SUBJECT == &quot;/O=VeriSign, Inc./OU=VeriSign Trust
Network/OU=www.verisign.com/repository/RPA Incorp. by
Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 - Netscape
/CN=Mark Daniel/Email=mark.daniel@wasd.vsm.com.au&quot;
WWW_REMOTE_USER == &quot;106C8342890A1703AAA517317B145BF7&quot;
</div>

<p> Other CGI variables optionally may be enabled using WASD_CONFIG_MAP mapping
rules.  See <a class="link" href="#4.5.18.x509authorizationcgivariables">4.5.18 X.509 Authorization CGI Variables</a>.  Specific client
certificate variables providing the details of such certificates are available
with SSLCGI=apache_mod_ssl.  These are of course in addition to the more
general apache_mod_ssl variables described in the above section.  Note that
where some ASN.1 records are duplicated (as in SSL_CLIENT_S_DN) some variables
will contain newline characters (0x10) between those elements (e.g.
SSL_CLIENT_S_DN_OU).  The line breaks in this example do not necesarily reflect
those characters.

<div class="blockof code">  WWW_SSL_CIPHER == &quot;TLS_AES_256_GCM_SHA384&quot;
  WWW_SSL_CIPHER_ALGKEYSIZE == &quot;256&quot;
  WWW_SSL_CIPHER_USEKEYSIZE == &quot;256&quot;
  WWW_SSL_PROTOCOL == &quot;TLSv1.3&quot;
  WWW_SSL_SERVER_A_KEY == &quot;rsaEncryption&quot;
  WWW_SSL_SERVER_A_SIG == &quot;sha256WithRSAEncryption&quot;
  WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS == &quot;OCSP - URI:http://ocsp.int-x3.letsencrypt.org.CA Issuers 8&lt; snip 8&lt;
  WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS_URI == &quot;http://ocsp.int-x3.letsencrypt.org&quot;
  WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS_URI__2 == &quot;http://cert.int-x3.letsencrypt.org/&quot;
  WWW_SSL_SERVER_E_CT_PRECERTIFICATE_SCTS == &quot;Signed Certificate Timestamp:.    Version   : v1 (0x0).    Log ID    :
8&lt; snip 8&lt;
  WWW_SSL_SERVER_E_X509V3_AUTHORITY_KEY_IDENTIFIER == &quot;keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1.&quot;
  WWW_SSL_SERVER_E_X509V3_AUTHORITY_KEY_IDENTIFIER_KEYID == &quot;A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1&quot;
  WWW_SSL_SERVER_E_X509V3_BASIC_CONSTRAINTS == &quot;CA:FALSE&quot;
  WWW_SSL_SERVER_E_X509V3_BASIC_CONSTRAINTS_CA == &quot;FALSE&quot;
  WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES == &quot;Policy: 2.23.140.1.2.1.Policy: 1.3.6.1.4.1.44947.1.1.1. 8&lt; snip 8&lt;
  WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_CPS == &quot; http://cps.letsencrypt.org&quot;
  WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_POLICY == &quot; 2.23.140.1.2.1&quot;
  WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_POLICY__2 == &quot; 1.3.6.1.4.1.44947.1.1.1&quot;
  WWW_SSL_SERVER_E_X509V3_EXTENDED_KEY_USAGE == &quot;TLS Web Server Authentication, TLS Web Client Authentication&quot;
  WWW_SSL_SERVER_E_X509V3_KEY_USAGE == &quot;Digital Signature, Key Encipherment&quot;
  WWW_SSL_SERVER_E_X509V3_SAN == &quot;dNSName:the.host.name..dNSName:the.host.name&quot;
  WWW_SSL_SERVER_E_X509V3_SUBJECT_ALTERNATIVE_NAME == &quot;dNSName:the.host.name..dNSName:the.host.name&quot;
  WWW_SSL_SERVER_E_X509V3_SUBJECT_KEY_IDENTIFIER == &quot;4E:6A:0B:56:F0:EF:1B:1E:71:E1:33:53:A0:39:32:D3:0C:D6:3C:0C&quot;
  WWW_SSL_SERVER_I_DN == &quot;/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3&quot;
  WWW_SSL_SERVER_I_DN_C == &quot;US&quot;
  WWW_SSL_SERVER_I_DN_CN == &quot;Let's Encrypt Authority X3&quot;
  WWW_SSL_SERVER_I_DN_O == &quot;Let's Encrypt&quot;
  WWW_SSL_SERVER_M_SERIAL == &quot;03AC67E421D5E26AA843A14F50343FEB1F84&quot;
  WWW_SSL_SERVER_M_VERSION == &quot;3&quot;
  WWW_SSL_SERVER_S_DN == &quot;/CN=the.host.name&quot;
  WWW_SSL_SERVER_S_DN_CN == &quot;the.host.name&quot;
  WWW_SSL_SERVER_V_END == &quot;Jul 17 13:50:24 2020 GMT&quot;
  WWW_SSL_SERVER_V_START == &quot;Apr 18 13:50:24 2020 GMT&quot;
  WWW_SSL_SESSION_ID == &quot;533d71a813a1ee8c5c68ae30c4cd05ac3b673ee9b04ac04567cad18418730dfe&quot;
  WWW_SSL_TLS_ALPN == &quot;h2&quot;
  WWW_SSL_TLS_SNI == &quot;the.host.name&quot;
  WWW_SSL_VERSION_INTERFACE == &quot;HTTPd-WASD/11.5.0 OpenVMS/AXP SSL&quot;
  WWW_SSL_VERSION_LIBRARY == &quot;OpenSSL 1.1.1c  28 May 2019&quot;
</div>

<a id="4.6" href="#"></a>
<a id="4.6.certificatemanagement" href="#"></a>
<a id="certificatemanagement" href="#"></a>
<h2 class="head"><span class="numb">4.6</span><span class="text">Certificate Management</span></h2>

<p> This is not a tutorial on X.509 certificates and their management. Refer to
the listed references, <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>, for further
information on this aspect.  It does provide some basic guidelines.

<p> Certificates identify something or someone, associating a public
cryptographic key with the identity of the certificate holder.  It includes a
distinguished name, identification and signature of the certificate authority
(CA, the issuer and guarantor of the certificate), and the period for which the
certificate is valid, possibly with other, additional information.

<p> The three types of certificates of interest here should not be confused.

<ul class="list">

<li class="item"> <span class="high bold">CA &ndash; </span> The Certificate Authority identifies the
<span class="high italic">authority</span>, or organization, that issues a certificate.

<li class="item"> <span class="high bold">Server &ndash; </span> Identifies a particular end-service.  Its
value as an guarantee of identity is founded in the <span class="high italic">authority</span> of
the organization that issues the certificate. It is the certificate specified
to the server at startup.

<li class="item"> <span class="high bold">Client &ndash; </span> Identifies a particular client to a server via
SSL (client authentication). Typically, the identity of the client is assumed
to be the same as the identity of a human being.  Again, its value as an
guarantee of identity is founded in the <span class="high italic">authority</span> of the
organization that issues the certificate.

</ul>

<p> The various OpenSSL tools are available for management of all of these
certificate types in each of the three SSL environments.

<ul class="list">

<li class="item"> The VSI SSL111 product provides the &quot;SSL Certificate Tool&quot;
procedure can be used to perform most required certificate management tasks
from a menu-driven interface.

<div class="blockof code">&dollar; @SSL111&dollar;COM:SSL111&dollar;CERT_TOOL.COM

      <span class="high bold">SSL Certificate Tool</span>

                               <span class="high bold">Main Menu</span>

          1. View a Certificate
          2. View a Certificate Signing Request
          3. Create a Certificate Signing Request
          4. Create a Self-Signed Certificate
          5. Create a CA (Certification Authority) Certificate
          6. Sign a Certificate Signing Request
          7. Revoke a Certificate
          8. Create a Certificate Revocation List
          9. Hash Certificates
         10. Hash Certificate Revocations
         11. Exit

         Enter Option:
</div>

<li class="item"> The standard OpenSSL toolkit provides a number of command-line tools for
creation and management of X.509 certificates.

<li class="item"> Or if you prefer something a little less arcane than the (ever so useful)
command-line
<div class="note">
<a id="4.6.0.0.1" href="#"></a>
<a id="4.6.notreallyanendorsementbut" href="#"></a>
<a id="notreallyanendorsementbut" href="#"></a>
<h5 class="head center"><span class="text">not really an endorsement but</span></h5>
<hr class="note_hr">
<p> XCA is a <span class="high bold">GUI application</span> intended for creating and
managing X.509 certificates, certificate requests, RSA, DSA and EC private
keys, Smartcards and CRLs. It uses the OpenSSL library for the cryptographic
operations.  The application is available for Linux, macOS and Windows, as well
as source code. 
<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="https://hohnstaedt.de/xca">https://hohnstaedt.de/xca</a>
<li class="item"> <a class="link blank" target="_blank" href="https://sourceforge.net/projects/xca/">https://sourceforge.net/projects/xca/</a>
</ul>
<hr class="note_hr">
</div>

</ul>

<a id="4.6.1" href="#"></a>
<a id="4.6.1.servercertificate" href="#"></a>
<a id="servercertificate" href="#"></a>
<h3 class="head"><span class="numb">4.6.1</span><span class="text">Server Certificate</span></h3>

<p> The server uses a certificate to establish its identity during the initial
phase of the SSL protocol exchange. Each server should have a unique
certificate. An example certificate is provided with the WASD OpenSSL package. 
If this is not available (for instance when using the VSI SSL111 product) then
the server will fallback to an internal, default certificate that allows SSL
functionality even when no external certification is available. If a &quot;live&quot; SSL
site is required a unique certificate issued by a third-party Certificate
Authority is desirable.

<div class="note">
<a id="4.6.1.0.1" href="#"></a>
<a id="4.6.1.letsencrypt" href="#"></a>
<a id="letsencrypt" href="#"></a>
<h5 class="head center"><span class="text">Let's Encrypt</span></h5>
<hr class="note_hr">
Self-signing certificates as described below has a number of shortcomings for
general web server certification.  Fortunately <span class="high bold">Let's Encrypt</span>
makes it possible automatically to obtain and maintain a browser-trusted
certificate, simply, and <span class="high bold">at no cost</span>.  This is accomplished by
running a certificate management agent on the web server.  The <span class="high under">WASD
Certificate Management Environment</span> (wuCME) may be used to perform this function
on VMS.
<p> See <span class="high bold">wuCME</span> on the WASD download page at
<a class="link blank" target="_blank" href="https://wasd.vsm.com.au/wasd/#wucme">https://wasd.vsm.com.au/wasd/</a>
<hr class="note_hr">
</div>

<a id="4.6.1.0.2" href="#"></a>
<a id="4.6.1.selfsignedcertificates" href="#"></a>
<a id="selfsignedcertificates" href="#"></a>
<h5 class="head"><span class="text">Self-Signed Certificates</span></h5>

<p> A less satisfactory alternative to obtaining one of these certificates is
provided by the WASD support DCL procedures, which are quick hacks to ease the
production of certificates on an ad hoc basis.  In all cases it is preferable
to directly use the utilities provided with OpenSSL, but the documentation
tends to be rather sparse.

<p> The VSI <span class="high monosp">SSL111&dollar;COM:SSL111&dollar;CERT_TOOL.COM</span> described above can create
self-signed certificates.

<p> <span class="high bold under">Also note that the WASD server dynamically generates a self-signed
certificate</span> for TLS services that otherwise do not have a configured server
certificate.  This is largely for testing a server immediately after
installation (e.g. using <span class="high bold">@WASD_ROOT:[INSTALL]DEMO SSL</span> at the command-line). 
This certificate suffers all the short-comings of self-signed certificates with
modern browsers (post-2019) but is better than no certificate all all. 
Interestingly, <span class="high bold">Incognito/[In]Private instances</span> of a browser are often more
relaxed about accepting certificates with recognised security deficiencies
(e.g. unknown Certificate Authority signing).  At least at the time of writing.

<a id="4.6.1.0.3" href="#"></a>
<a id="4.6.1.loadingauthoritycertificates" href="#"></a>
<a id="loadingauthoritycertificates" href="#"></a>
<h5 class="head"><span class="text">Loading Authority Certificates</span></h5>

<p> The first requirement may be a tailored &quot;Certificate Authority&quot;
certificate. As the Certificate Authority is non-authoritative (not trying to be
too oxymoronic, i.e. not a well-known CA) these certificates have little value
except to allow SSL transactions to be established with trusting clients.
More commonly &quot;Server Certificates&quot; for specific host names are required.

<p> CA certificates can be loaded into browsers to allow sites using that CA
to be accessed by that browser without further dialog. Browsers commonly
invoke a server certificate load dialog when encountering a site using a valid
but unknown server certificate.

<p> A manual load is accomplished by requesting the certificate in a format
appropriate to the particular browser.  This triggers a browser dialog with the
user to confirm or refuse the loading of that certificate into the browser
Certificate Authority database.

<p> To facilitate loading CA certificates into a browser ensure the following
entries are contained in the HTTP&dollar;CONFIG configuration file:

<div class="blockof code">[AddIcon]
/httpd/-/binary.gif  [BIN]  application/x-x509-ca-cert

[AddType]
.CRT  application/x-x509-ca-cert  -  DER certifcate (MSIE)
.PEM  application/x-x509-ca-cert  -  Privacy Enhanced Mail certificate
</div>

<p> Then just provide a link to the required certificate file(s), and click.

<a id="4.6.1.0.4" href="#"></a>
<a id="4.6.1.changingservercertificates" href="#"></a>
<a id="changingservercertificates" href="#"></a>
<h5 class="head"><span class="text">Changing Server Certificates</span></h5>

<p> If a site's server (or CA certificate) is changed and the server restarted
any executing browsers will probably complain (Netscape Navigator reports an
I/O error). In this case open the browser's certificate database and delete
any relevant, permanently stored certificate entry, then close and restart the
browser. The next access should initiate the server certificate dialog, or the
CA certificate may be explicitly reloaded.

<a id="4.6.2" href="#"></a>
<a id="4.6.2.certificatesigningrequest" href="#"></a>
<a id="certificatesigningrequest" href="#"></a>
<h3 class="head"><span class="numb">4.6.2</span><span class="text">Certificate Signing Request</span></h3>

<p> Recognised Certificate Authorities (CAs) such as Thawte and VeriSign
publish lists of requirements for obtaining a server certificate.  These often
include such documents required to prove organisational name and the right to
use the domain name being requested.  Check the particular vendor for the exact
requirements.

<p> In addition, a document containing the site's private key is required. 
This is known as the Certificate Signing Request (CSR) and must be generated
digitally at the originating site.

<p> Using the VSI SSL111 for OpenVMS product &quot;SSL Certificate Tool&quot; described in
<a class="link" href="#4.6.certificatemanagement">4.6 Certificate Management</a> a CSR can  easily be generated using its
menu-driven interface.  The alternative is using a command-line interface tool.

<p> The following instructions provide the basics for generating a CSR at the
command-line in the WASD and generally the any OpenSSL environment (including
the VSI SSL111 for OpenVMS product).

<ol class="list">

<li class="item"> Change to a secure directory.  The following is a suggestion.
<div class="blockof code">&dollar; SET DEFAULT WASD_ROOT:[LOCAL]
</div>

<li class="item"> Assign a foreign verb for the OPENSSL application.  The location may
vary a little depending on which OpenSSL package you have installed. See
<a class="link" href="#4.4.opensslexeapplication">4.4 OPENSSL.EXE Application</a>.

<li class="item"> Specify a source of lots of &quot;random&quot; data (can be any big file for
the purposes of this exercise).
<div class="blockof code">&dollar; RANDFILE = &quot;WASD_EXE:HTTPD_SSL.EXE&quot;
</div>

<li class="item"> Find the template configuration file.  You will need to specify this
location in a step described below.  Should be something like the following.
<div class="blockof code">WASD_ROOT:[SRC.OPENSSL-<span class="high italic">version</span>.WASD]TEMPLATE.CNF
</div>

<li class="item"> Generate your private key (RANDFILE data is used by this).  The
output from this looks something like what's shown.  Notice the pass
phrase prompts.  <span class="high bold">This is your private key, don't forget it!</span>

<div class="blockof code">&dollar; OPENSSL GENRSA -DES3 -OUT SERVER.KEY 1024

Generating RSA private key, 1024 bit long modulus
.....++++++
......++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
</div>

<li class="item"> Generate the Certificate Signing Request using syntax similar to the
following (this is where you are required to specify the location of the
configuration template).  Note that there are quite a few fields - <span class="high bold">GET THEM
RIGHT!</span>  They need to be unique and local - they're your distinguishing name
(DN). &quot;Common Name&quot; is the host you want the certificate for.  It can be a 
fully qualifier host name (e.g. &quot;klaatu.local.net&quot;), or a local <span class="high italic">wildcard</span>
(e.g. &quot;*.local.net&quot;) for which you may pay more.

<div class="blockof code">&dollar; OPENSSL REQ -NEW -KEY SERVER.KEY -OUT SERVER.CSR -CONFIG -
WASD_ROOT:[SRC.OPENSSL-0_9_6B.WASD]TEMPLATE.CNF

Using configuration from template.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Some-State]:South Australia
Locality Name (eg, city) []:Adelaide
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:WASD
Common Name (eg, YOUR name) []:klaatu.local.net
Email Address []:Mark.Daniel@wasd.vsm.com.au
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
</div>

<li class="item"> That's it!  You should have two files in your default directory.

<div class="blockof code">SERVER.CSR;1               2  14-MAR-2002 04:38:26.15
SERVER.KEY;1               2  14-MAR-2002 04:31:38.76
</div>

<p> Keep the SERVER.KEY file secure.  You'll need it when you receive the
certificate back from the CA.

<p> The SERVER.CSR is what you send to the CA (usually by mail or Web
form).  It looks something like the following

<div class="blockof code">&dollar; TYPE SERVER.CSR
-----BEGIN CERTIFICATE REQUEST-----
MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw
ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG
A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56
YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S
6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw
DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu
pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh
-----END CERTIFICATE REQUEST-----
</div>

<p> You can see the details of this file using

<div class="blockof code">&dollar; OPENSSL RSA -NOOUT -TEXT -IN SERVER.CSR
</div>

</ol>

<a id="4.6.2.0.1" href="#"></a>
<a id="4.6.2.afterreceivingthecertificate" href="#"></a>
<a id="afterreceivingthecertificate" href="#"></a>
<h5 class="head"><span class="text">After Receiving The Certificate</span></h5>

<p> Once the signed certificate has been issued by the Certificate Authority it
can be placed directly into the server configuration directory, usually
WASD_ROOT:[LOCAL], and configured for use from there.  Using the certificate
direct from the CA requires that the private key password be given to the
server each time (<a class="link" href="#4.5.9.sslprivatekey">4.5.9 SSL Private Key</a>).  It is possible to embed the
password into the certificate key so that this is not required.

<p> <span class="high bold">Remember to keep original files secure, only work on copies!</span>

<ol class="list">

<li class="item"> Assign a foreign verb for the OPENSSL application.  The location may
vary a little depending on which OpenSSL package you have installed.

<div class="blockof code">&dollar; OPENSSL == &quot;&dollar;WASD_ROOT:[SRC.OPENSSL-<span class="high italic">version</span>.AXP.EXE.APPS]OPENSSL.EXE&quot;
</div>

<p> When using the VSI SSL111 product or other OpenSSL toolkit the verb may
already be available.

<div class="blockof code">&dollar; SHOW SYMBOL OPENSSL
  OPENSSL == &quot;&dollar; SSL111&dollar;EXE:OPENSSL&quot;
</div>

<li class="item"> Go to wherever you want to do the work.
<div class="blockof code">&dollar; SET DEFAULT WASD_ROOT:[LOCAL]
</div>

<li class="item"> You may require these additional steps (based on user experience):

<ul class="list">

<li class="item"> VeriSign sent certificate with headers like this:

<div class="blockof code">-----BEGIN PKCS #7 SIGNED DATA-----
-----END PKCS #7 SIGNED DATA-----
</div>

<p> Using an editor, ensure the header/trailer looks this:

<div class="blockof code">-----BEGIN PKCS7-----
-----END PKCS7-----
</div>

<li class="item"> Then into the required intermediate format:

<div class="blockof code">&dollar; OPENSSL pkcs7 -print_certs -in SERVER.CERT -outform DER -out CERTIFICATE.PEM
</div>

<li class="item"> A <span class="high italic">readable</span> version of the new file can be viewed using:
<div class="blockof code">&dollar; OPENSSL x509 -noout -text -in CERTIFICATE.PEM
</div>

</ul>

<li class="item"> Using the original key file embed your password into a copy.  When
prompted &quot;Enter PEM pass phrase:&quot; enter the password.
<div class="blockof code">&dollar; OPENSSL rsa -in SERVER.KEY -out WORK.PEM
</div>

<li class="item"> Append this password-embedded key file to your certificate file.
<div class="blockof code">&dollar; COPY CERTIFICATE.PEM,WORK.PEM CERTIFICATE.PEM;0
</div>

<li class="item"> Delete the temporary file.
<div class="blockof code">&dollar; DELETE WORK.PEM;*
</div>

</ol>

<a id="4.7" href="#"></a>
<a id="4.7.sslcgivariables" href="#"></a>
<a id="sslcgivariables" href="#"></a>
<h2 class="head"><span class="numb">4.7</span><span class="text">SSL CGI Variables</span></h2>

<p> CGI variables specific to SSL transactions optionally may be enabled using
WASD_CONFIG_MAP mapping rules.  (See 
<a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
The may be done on a specific per-path or general CGI basis.  In the following
examples, due to length of particular items, some in this example are displayed
wrapped. Also, where some ASN.1 records are duplicated (as in SSL_CLIENT_S_DN),
some variables will contain newline characters (0x10) between those elements
(e.g. SSL_CLIENT_S_DN_OU).  The line breaks in the examples do not necesarily
reflect those characters.

<a id="4.7.0.0.1" href="#"></a>
<a id="4.7.setpathsslcgiapachemodssl" href="#"></a>
<a id="setpathsslcgiapachemodssl" href="#"></a>
<h5 class="head"><span class="text">set /path/* SSLCGI=apache_mod_ssl</span></h5>

<p>
<div class="blockof code">  WWW_SSL_CIPHER == &quot;TLS_AES_256_GCM_SHA384&quot;
  WWW_SSL_CIPHER_ALGKEYSIZE == &quot;256&quot;
  WWW_SSL_CIPHER_USEKEYSIZE == &quot;256&quot;
  WWW_SSL_PROTOCOL == &quot;TLSv1.3&quot;
  WWW_SSL_SERVER_A_KEY == &quot;rsaEncryption&quot;
  WWW_SSL_SERVER_A_SIG == &quot;sha256WithRSAEncryption&quot;
  WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS == &quot;OCSP - URI:http://ocsp.int-x3.letsencrypt.org.CA Issuers 8&lt; snip 8&lt;
  WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS_URI == &quot;http://ocsp.int-x3.letsencrypt.org&quot;
  WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS_URI__2 == &quot;http://cert.int-x3.letsencrypt.org/&quot;
  WWW_SSL_SERVER_E_CT_PRECERTIFICATE_SCTS == &quot;Signed Certificate Timestamp:.    Version   : v1 (0x0).    Log ID    :
8&lt; snip 8&lt;
  WWW_SSL_SERVER_E_X509V3_AUTHORITY_KEY_IDENTIFIER == &quot;keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1.&quot;
  WWW_SSL_SERVER_E_X509V3_AUTHORITY_KEY_IDENTIFIER_KEYID == &quot;A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1&quot;
  WWW_SSL_SERVER_E_X509V3_BASIC_CONSTRAINTS == &quot;CA:FALSE&quot;
  WWW_SSL_SERVER_E_X509V3_BASIC_CONSTRAINTS_CA == &quot;FALSE&quot;
  WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES == &quot;Policy: 2.23.140.1.2.1.Policy: 1.3.6.1.4.1.44947.1.1.1. 8&lt; snip 8&lt;
  WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_CPS == &quot; http://cps.letsencrypt.org&quot;
  WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_POLICY == &quot; 2.23.140.1.2.1&quot;
  WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_POLICY__2 == &quot; 1.3.6.1.4.1.44947.1.1.1&quot;
  WWW_SSL_SERVER_E_X509V3_EXTENDED_KEY_USAGE == &quot;TLS Web Server Authentication, TLS Web Client Authentication&quot;
  WWW_SSL_SERVER_E_X509V3_KEY_USAGE == &quot;Digital Signature, Key Encipherment&quot;
  WWW_SSL_SERVER_E_X509V3_SAN == &quot;dNSName:the.host.name..dNSName:the.host.name&quot;
  WWW_SSL_SERVER_E_X509V3_SUBJECT_ALTERNATIVE_NAME == &quot;dNSName:the.host.name..dNSName:the.host.name&quot;
  WWW_SSL_SERVER_E_X509V3_SUBJECT_KEY_IDENTIFIER == &quot;4E:6A:0B:56:F0:EF:1B:1E:71:E1:33:53:A0:39:32:D3:0C:D6:3C:0C&quot;
  WWW_SSL_SERVER_I_DN == &quot;/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3&quot;
  WWW_SSL_SERVER_I_DN_C == &quot;US&quot;
  WWW_SSL_SERVER_I_DN_CN == &quot;Let's Encrypt Authority X3&quot;
  WWW_SSL_SERVER_I_DN_O == &quot;Let's Encrypt&quot;
  WWW_SSL_SERVER_M_SERIAL == &quot;03AC67E421D5E26AA843A14F50343FEB1F84&quot;
  WWW_SSL_SERVER_M_VERSION == &quot;3&quot;
  WWW_SSL_SERVER_S_DN == &quot;/CN=the.host.name&quot;
  WWW_SSL_SERVER_S_DN_CN == &quot;the.host.name&quot;
  WWW_SSL_SERVER_V_END == &quot;Jul 17 13:50:24 2020 GMT&quot;
  WWW_SSL_SERVER_V_START == &quot;Apr 18 13:50:24 2020 GMT&quot;
  WWW_SSL_SESSION_ID == &quot;533d71a813a1ee8c5c68ae30c4cd05ac3b673ee9b04ac04567cad18418730dfe&quot;
  WWW_SSL_TLS_ALPN == &quot;h2&quot;
  WWW_SSL_TLS_SNI == &quot;the.host.name&quot;
  WWW_SSL_VERSION_INTERFACE == &quot;HTTPd-WASD/11.5.0 OpenVMS/AXP SSL&quot;
  WWW_SSL_VERSION_LIBRARY == &quot;OpenSSL 1.1.1c  28 May 2019&quot;
</div>

<p> The Apache <span class="high italic">mod_ssl</span> client certificate details described in <a class="link" href="#4.5.18.x509authorizationcgivariables">4.5.18 X.509 Authorization CGI Variables</a> above are not shown in the above example but would
be included if the request was X.509 authenticated.

<p> X509 certificate extensions are in general visible from WATCH and
accessible via CGI variables when enabled using SET
<span class="high italic">SSLCGI=apache_mod_ssl_extens</span> and
<span class="high italic">SSLCGI=apache_mod_ssl_client</span> path mappings.  

<a id="4.8" href="#"></a>
<a id="4.8.sslserviceevaluation" href="#"></a>
<a id="sslserviceevaluation" href="#"></a>
<h2 class="head"><span class="numb">4.8</span><span class="text">SSL Service Evaluation</span></h2>

<p> This section is just the barest introduction to a significant topic.
                     
<a id="4.8.0.0.1" href="#"></a>
<a id="4.8.qualysssllab" href="#"></a>
<a id="qualysssllab" href="#"></a>
<h5 class="head"><span class="text">Qualys SSL Lab</span></h5>

<p> &quot;How well do you know SSL? If you want to learn more about the
technology that protects the Internet, you've come to the right place.&quot;

<p class="indent"> <a class="link blank" target="_blank" href="https://www.ssllabs.com/">https://www.ssllabs.com/</a>

<p> Not necessarily an endorsement by WASD but a useful resource in itself.

<p> Provides a <span class="high italic">free and unencumbered</span>, comprehensive SSL Server test service

<p class="indent"> <a class="link blank" target="_blank" href="https://www.ssllabs.com/ssltest/">https://www.ssllabs.com/ssltest/</a>

<p> reporting on certificate status, protocol version, cipher suites, handshakes
with various simulated clients, and protocol details including known
vulnerabilities.  It also summarises the report with a colour-coded rating. 

<a id="4.8.0.0.2" href="#"></a>
<a id="4.8.athome" href="#"></a>
<a id="athome" href="#"></a>
<h5 class="head"><span class="text">At Home</span></h5>

<p> So to speak.

<p> The OPENSSL command-line application (<a class="link" href="#4.4.opensslexeapplication">4.4 OPENSSL.EXE Application</a>)
provides a configurable client for checking and testing various aspects of
server configuration and behaviour.  The basic operation represented by the
command-line

<div class="blockof code">&dollar; openssl s_client -host <span class="high left italic">host name or address&gt;</span> -port 443
</div>
 provides a comprehensive report including certificates and certificate
chain, the protocol version and cipher negotiated, along with more esoteric
elements of TLS/SSL.  Some data have been 8&lt; snipped 8&lt; for brevity
in the following example.

<div class="blockof code">&dollar; openssl s_client -host klaatu.private -port 443
WARNING: can't open config file: SSLROOT:[000000]openssl.cnf
CONNECTED(00000003)
depth=0 C = AU, ST = SA, L = Adelaide, O = WASD Server Cert, OU 8&lt; snip 8&lt; 
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = AU, ST = SA, L = Adelaide, O = WASD Server Cert, OU 8&lt; snip 8&lt; 
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = AU, ST = SA, L = Adelaide, O = WASD Server Cert, OU 8&lt; snip 8&lt;
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=AU/ST=SA/L=Adelaide/O=WASD Server Cert/OU=OpenSSL 1.0.1 8&lt; snip 8&lt; 
   i:/C=AU/ST=SA/L=Adelaide/O=WASD CA Cert/OU=OpenSSL 1.0.1j Te 8&lt; snip 8&lt; 
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFsjCCBJqgAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBtjELMAkGA1UEBhMCQVUx
8&lt; snip 8&lt; 
pErvrfr69iDbJbhO+mRmIkZIXHc5CFV/M1zzLD5240ixxu/d6nAUBhGba0W4Kste
x1SgLJ0BqFTjegxuHRXkK5lOlY11Hw==
-----END CERTIFICATE-----
subject=/C=AU/ST=SA/L=Adelaide/O=WASD Server Cert/OU=OpenSSL 1. 8&lt; snip 8&lt;
issuer=/C=AU/ST=SA/L=Adelaide/O=WASD CA Cert/OU=OpenSSL 1.0.1j  8&lt; snip 8&lt; 
---
No client certificate CA names sent
---
SSL handshake has read 1791 bytes and written 625 bytes
---<span style="background-color:yellow">
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit</span>
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:<span style="background-color:yellow">
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384</span>
    Session-ID: 61FEC1629DA3E675AA124223CDB9CB5AB7701D872E85E15 8&lt; snip 8&lt;
    Session-ID-ctx:
    Master-Key: F4260DFE9A7370B3EA85D22D89DB8A7925C655159C3C509 8&lt; snip 8&lt; 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 63 d6 2a 84 19 fe f6 9a-13 60 e1 8a 65 dd f9 fc   c.*......`..e...
8&lt; snip 8&lt;
    00a0 - 9a 2d 29 9b 8e aa ab 69-11 0d 45 ed 63 48 f5 4f   .-)....i..E.cH.O

    Start Time: 1415828121
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
8&lt; snip 8&lt;
</div>

<p> A &quot;bad select 38&quot; is a VMS (C-RTL) limitation of earlier versions of
OpenSSL and is not present in later versions or on other platforms, and the
default use of -s_client will prompt for an HTTP request line, send that to the
server, and report the response.

<p> Checking whether a specific protocol version is enabled on a site:

<div class="blockof code">&dollar; openssl s_client -ssl2 -host <span class="high left italic">host name or address&gt;</span> -port 443
&dollar; openssl s_client -ssl3 -host <span class="high left italic">host name or address&gt;</span> -port 443
&dollar; openssl s_client -tls1 -host <span class="high left italic">host name or address&gt;</span> -port 443
&dollar; openssl s_client -tls1_1 -host <span class="high left italic">host name or address&gt;</span> -port 443
&dollar; openssl s_client -tls1_2 -host <span class="high left italic">host name or address&gt;</span> -port 443
&dollar; openssl s_client -tls1_3 -host <span class="high left italic">host name or address&gt;</span> -port 443
</div>

<p> The following example shows a server test where the protocol version is NOT
supported.

<div class="blockof code">&dollar; openssl s_client -ssl3 -host klaatu.private -port 443
8&lt; snip 8&lt;
SSL handshake has read 7 bytes and written 0 bytes
---<span style="background-color:yellow">
New, (NONE), Cipher is (NONE)</span>
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:style="background-color:yellow">
    Protocol  : SSLv3
    Cipher    : 0000</span>
8&lt; snip 8&lt;
</div>

<a id="4.8.0.0.3" href="#"></a>
<a id="4.8.tlsversion13" href="#"></a>
<a id="tlsversion13" href="#"></a>
<h5 class="head"><span class="text">TLS Version 1.3</span></h5>
<a id="4.8.0.0.3.1" href="#"></a>
<a id="4.8.testtlsversion13" href="#"></a>
<a id="testtlsversion13" href="#"></a>
<h6 class="head display0"><span class="text">test TLS Version 1.3</span></h6>

<p> Server TLSv1.3 response may be checked using an OPENSSL.EXE v1.1.1 or
later.

<div class="blockof code">&dollar; OPENSSL version
OpenSSL 1.1.1  11 Sep 2018
&dollar; OPENSSL s_client --host wasd.xxxxxxxxxx.xxx --port 443
CONNECTED(00000003)

depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:CN = wasd.xxxxxxxxx.xxx
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHJDCCBgygAwIBAgISA8gmjxQDyTgXeAfy7ehpvXeBMA0GCSqGSIb3DQEBCwUA
8&lt; snip 8&lt; 
rL2n3YpsP2xuCwV6ZT+etAl1IrtmXuC9tnG2QRVtVJn7wyUacUTz3XuKagS9w6Bo
be0oPuGGnT0=
-----END CERTIFICATE-----
subject=CN = wasd.xxxxxxxxx.xxx

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3827 bytes and written 393 bytes
Verification error: unable to get local issuer certificate
---
<span style="background-color:yellow">
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384</span>
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
<span style="background-color:yellow">    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384</span> 
    Session-ID: 0074FBDFD12EF693B0419611204FF9EC6BFA3C006A2A7D312A9435CF7D79FE3A
    Session-ID-ctx:
    Resumption PSK: 3176C237B08F4E83B7AC32CBC79C8B79CC8FBA20837419682C4A97998898ECDE13F5254E0820C977AEC0B63C9B4B21C8
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 5400 (seconds)
    TLS session ticket:
    0000 - a7 99 08 ba aa 75 1d 53-68 c4 66 fb 5e 43 5e b2   .....u.Sh.f.^C^.
8&lt; snip 8&lt; 
    00d0 - 5d a5 3c 10 5e 4c 41 4b-bb 15 c9 5c 08 fe e1 1f   ].&lt;.^LAK...\....

    Start Time: 1537620807
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
<span style="background-color:yellow">    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384</span>
    Session-ID: 8DB922A11FD02889CED45C4D125C5A55B5F76B42B49826EF39CA265988FA4FA9
    Session-ID-ctx:
    Resumption PSK: 60F73CE06DDDA5737B607A20DF7E13D85CBFFD695DB98B53B9AF09A0DABE6B34A0F50F86E2578845F1E0EA799B014B42
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 5400 (seconds)
    TLS session ticket:
    0000 - a7 99 08 ba aa 75 1d 53-68 c4 66 fb 5e 43 5e b2   .....u.Sh.f.^C^.
8&lt; snip 8&lt; 
    00d0 - 92 32 8d 2c 9c 22 54 b1-6e 24 9a c3 de 1a de a2   .2.,.&quot;T.n&dollar;......

    Start Time: 1537620807
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
read:errno=0
</div>

<a id="4.9" href="#"></a>
<a id="4.9.sslreferences" href="#"></a>
<a id="sslreferences" href="#"></a>
<h2 class="head"><span class="numb">4.9</span><span class="text">SSL References</span></h2>

<p> The following provide a starting-point for investigating SSL and OpenSSL
further (verified available at time of publication).

<ul class="list">

<li class="item"> <a class="link blank" target="_blank" href="http://www.openssl.org/">http://www.openssl.org/</a>
<br> OpenSSL Project.  This site is the prime source for the full toolkit,
documentation, related links, news and support via mailing lists, etc.
<br> <a class="link blank" target="_blank" href="http://wiki.openssl.org/">http://wiki.openssl.org/</a>
<br> OpenSSL Wiki

<li class="item"> <a class="link blank" target="_blank" href="https://www.oreilly.com/library/view/high-performance-browser/9781449344757/ch04.html">https://www.oreilly.com/library/view/high-performance-browser/9781449344757/ch04.html</a>
<br> Ilya Grigorik's - Transport Layer Security (TLS)
<br> From the excellent <a class="link blank" target="_blank" href="https://www.oreilly.com/library/view/high-performance-browser/9781449344757/">https://www.oreilly.com/library/view/high-performance-browser/9781449344757/</a>

<li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Transport_Layer_Security">http://en.wikipedia.org/wiki/Transport_Layer_Security</a>
<br> Wikipedia - Transport Layer Security (SSL)

<li class="item">
<a class="link blank" target="_blank" href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/\Transport_Layer_Protection_Cheat_Sheet.md">https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/\Transport_Layer_Protection_Cheat_Sheet.md</a>
<br> OWASP Transport Layer Protection Cheat Sheet

<li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/OpenSSL">http://en.wikipedia.org/wiki/OpenSSL</a>
<br> Wikipedia - OpenSSL

<li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Public_key_infrastructure">http://en.wikipedia.org/wiki/Public_key_infrastructure</a>
<br> Wikipedia - Public-Key Infrastructure

<li class="item"> <a class="link blank" target="_blank" href="https://www.ssllabs.com/">https://www.ssllabs.com/</a>
<br> Qualys SSL Labs
<br> <a class="link blank" target="_blank" href="https://www.ssllabs.com/ssltest/">https://www.ssllabs.com/ssltest/</a>
<br> SSL Server Test

<li class="item"> <a class="link blank" target="_blank" href="https://www.feistyduck.com/books/openssl-cookbook/">https://www.feistyduck.com/books/openssl-cookbook/</a>
<br> OpenSSL Cookbook by Ivan Ristic (of Qualys Labs) 
<br> As promoted by OpenSSL.org

<li class="item"> <a class="link blank" target="_blank" href="https://www.openssl.org/docs/manmaster/man1/openssl.html">https://www.openssl.org/docs/manmaster/man1/openssl.html</a>
<br> <a class="link blank" target="_blank" href="https://wiki.openssl.org/index.php/Command_Line_Utilities">https://wiki.openssl.org/index.php/Command_Line_Utilities</a>
<br> OPENSSL.EXE application 

<li class="item"> <a class="link blank" target="_blank" href="http://hohnstaedt.de/xca">http://hohnstaedt.de/xca</a>
<br> <a class="link blank" target="_blank" href="https://sourceforge.net/projects/xca/">https://sourceforge.net/projects/xca/</a>
<br> XCA is a GUI application intended for creating and managing X.509
certificates, certificate requests, RSA, DSA and EC private keys, Smartcards
and CRLs.

</ul>
<!-- source:0500_HTTP2.WASDOC -->
<hr class="page">
<a id="5." href="#"></a>
<a id="5.http2" href="#"></a>
<a id="http2" href="#"></a>
<h1 class="head"><span class="numb">5.</span><span class="text">HTTP/2</span></h1>

<div class="TOC2cols2">
<table class="TOC2table">
<tr><td><a href="#5.1.wasdhttp2"><span class="numb">5.1</span><span class="text">WASD HTTP/2</span></a>
<tr><td><a href="#5.2.http2andperformance"><span class="numb">5.2</span><span class="text">HTTP/2 and Performance</span></a>
<tr><td><a href="#5.3.http2configuration"><span class="numb">5.3</span><span class="text">HTTP/2 Configuration</span></a>
<tr><td><a href="#5.3.1.globalconfiguration"><span class="numb">5.3.1</span><span class="text">Global Configuration</span></a>
<tr><td><a href="#5.3.2.serviceconfiguration"><span class="numb">5.3.2</span><span class="text">Service Configuration</span></a>
<tr><td><a href="#5.3.3.http2setrules"><span class="numb">5.3.3</span><span class="text">HTTP/2 Set Rules</span></a>
<tr><td><a href="#5.4.http2detection"><span class="numb">5.4</span><span class="text">HTTP/2 Detection</span></a>
<tr><td><a href="#5.5.http2references"><span class="numb">5.5</span><span class="text">HTTP/2 References</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#4.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#6.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> HTTP/2 is the most recent standard (RFC 7540, 2015) for implementing how
HTTP is represented by, and transported between, client and server. It is not a
ground-up rewrite of the established standard, HTTP/1.1 (RFC 2616, 1999). 
Those elements and semantics remain substantially the same.  Instead HTTP/2
modifies how the data is encapsulated (framed) and transferred between agents,
abstracting the complexity of this within the new protocol layer, leaving the
application level largely insulated from change.  As a result all existing
HTTP/1.1 web-based environments should be able to continue without
modification.

<p> The focus of the protocol is on performance, in particular end-user
perceived page rendering and web application responsiveness.  With the original
web use case being a relatively simple, single resource request-response, and
early markup involving text with a few illustrative images, the single network
connection, back-to-back request-response paradigm was simple to implement and
worked well enough.  In short time this moved to multiple network connections,
each loading elements in parallel as the complexity and density of the
individual elements on the pages increased, and to the introduction of HTTP/1.1 
<span class="high italic">pipelining</span> (back-to-back requests over a single connection) in an
attempt to avoid request-response-request latency.  Modern web documents and
applications tend to have dozens of fine-grained elements that dynamically load
resources based on the content of the page and/or user interaction.  The
single, then multiple network connections, each with its round-trip TCP
connection establishment overhead and request-response blocking of resources,
did not scale effectively.  HTTP/2 replaces it with a single TCP connection on
which multiple resources concurrently can be requested, pushed, and
transferred.  A more rigorous and effective implementation of the pipeline
concept.

<p> While multiplexing communication over a single network connection is a core
performance technology there are other contributing elements. The framing layer
uses binary tokens and parameters.  The plain-text request and response headers
of HTTP/1.<span class="high italic">n</span> are replaced with tokenised, encoded and dynamically cached
equivalents, commonly providing compression in excess of eighty percent.  The
relationship and priority of resources can be established allowing inferior
resources to be delivered after or dependent on superior ones.  The HTTP/2
server can send multiple responses to a single request.  Known as <span class="high italic">server
push</span> it can be used to pre-load the browser (cache) with resources it has not
encountered yet.

<p> HTTP/2 has the potential to place additional load on the client and server
in comparison to HTTP/1.<span class="high italic">n</span>.  One particular consideration for WASD sites is
the <span class="high italic">stream concurrency</span> setting of the HTTP/2 connection.  The server
specifies to the client the maximum number of concurent request-response (and
server push) <span class="high italic">streams</span> it will accept. RFC 7540 contains, &quot;This limit is
directional: it applies to the number of streams that the sender permits the
receiver to create. Initially, there is no limit to this value.  It is
recommended that this value be no smaller than 100, so as to not unnecessarily
limit parallelism.&quot;  This translates to a hypothetical ten browsers connected
to the site each with up to one hundred concurrent streams, or potentially one
thousand active requests!  Time to check those server configuration and SYSGEN
parameters&hellip;

<p> Note that HTTP/1.1 has recently been revisited with RFC 7230 family of
specifications (2014) providing some clarifications and refinements on the
original.

<a id="5.1" href="#"></a>
<a id="5.1.wasdhttp2" href="#"></a>
<a id="wasdhttp2" href="#"></a>
<h2 class="head"><span class="numb">5.1</span><span class="text">WASD HTTP/2</span></h2>

<p> WASD HTTP/2 implements all of the essential requirements of RFC 7540
(naturally enough).  This includes the framing protocol, datagram (message) and
stream management, header compression (RFC 7541), connection settings and flow
control, along with HTTP/2 connection establishment and termination (TLS ALPN
and HTTP upgrade).  It does not ((perhaps) currently) provide server-push or
stream prioritisation and dependency.

<p> Prior to the introduction of HTTP/2, WASD's fundamental abstraction was the
request, with each request interfacing directly with the network stack.  With
an HTTP/2 protocol connection somewhat supplanting the role of a Transmission
Control Protocol (TCP) connection in HTTP/1.<span class="high italic">n</span>, a new level of communication
abstraction was required between the request processing and the network
processing.  It should be noted that HTTP/2 itself is transported on TCP.

<p> Another new layer of abstraction required interfacing each protocol's
request/response header formats with the underlying server processing (avoiding
excessive duplication of code).  HTTP/1.<span class="high italic">n</span> has a plain-text,
carriage-control separated format, while HTTP/2 has a binary, compressed,
lookup-table oriented format (RFC 7541).  The layer was implemented using a
<span class="high italic">key</span>-<span class="high italic">value</span> dictionary.

<p> The accomodations for handling both HTTP/2 and HTTP/1.1, along with related
and ancilliary design and code changes, have not measurably impacted overall
WASD performance, although as noted below there is a server process CPU impost
associated with HTTP/2.

<div class="note">
<a id="5.1.0.0.1" href="#"></a>
<a id="5.1.itsfairtosayhellip" href="#"></a>
<a id="itsfairtosayhellip" href="#"></a>
<h5 class="head center"><span class="text">It's fair to say&hellip;</span></h5>
<hr class="note_hr">
Reimplementing the complexities and subtleties of TCP &mdash; and adding a few of
its own &mdash; up in the application layer has made HTTP/2 a significantly more
complicated and less transparent protocol of HTTP/1.1 and while solving
some minor annoyances with that has sacrificed the usefulness and elegance of a
once readable byte-stream.  Certainly added layers and associated processing to
WASD, breaking the original I/O event driven design for possibly minor
performance improvements.
<hr class="note_hr">
</div>

<a id="5.1.0.0.2" href="#"></a>
<a id="5.1.http2andwatch" href="#"></a>
<a id="http2andwatch" href="#"></a>
<h5 class="head"><span class="text">HTTP/2 and WATCH</span></h5>

<p> WATCH reports have the network item: [x]HTTP/2.  This provides a detailed
overview of the underlying framing and connection management exchanges between
client and server.  WATCH reports are available to HTTP/2 connected clients
with one consideration.  Due to multiplexed requests over the single network
connection, WATCHing the [x]HTTP/2 item of another request in the same browser
(using the same HTTP/2 connection - and there <span class="high italic">can</span> be multiple from a single
browser) is not possible (or at least more code than it's worth).  The HTTP/2
activity of the WATCHing generates more report items which generate &hellip; a
descent into reporting oblivion.

<p>  WASD detects when a request is initiated on the same HTTP/2 connection as
an [x]HTTP/2 WATCHing client and if this sort of reporting cascade is possible
(any <span class="high italic">networking</span> group item) advises 

<div class="blockof code">&verbar;Time_______&verbar;Module__&verbar;Line&verbar;Item&verbar;Category__&verbar;Event...&verbar;
&verbar;22:00:55.22 WATCH    1823 0004 CONNECT    HTTP/2 with 192.168.1.2,62446 on https://klaatu.private,443 (0.0.0.0)&verbar;
&verbar;22:00:55.22 WATCH    1454 0004 CONNECT    HTTP/2 rabbit hole&verbar;
</div>
 Such a request is not reported on further.

<p> Workarounds?

<ul class="list list0">
<li class="item"> WATCH from an independent browser instance.  Often requires a separate host
or different browser (e.g. Chrome and Firefox on the same host).
<li class="item"> Have an HTTP/1.1 (only) service on the same server and use WATCH from that.
</ul>

<a id="5.2" href="#"></a>
<a id="5.2.http2andperformance" href="#"></a>
<a id="http2andperformance" href="#"></a>
<h2 class="head"><span class="numb">5.2</span><span class="text">HTTP/2 and Performance</span></h2>

<p> With HTTP/2 not modifying the fundamentals of HTTP/1.1 semantics the
commonly touted payoff for all the additional complexity (in implementation) is
performance.  While this is often stated in terms of page rendering speeds or
web application responsiveness there is another significant measure of
performance - efficiency.  HTTP/2 much more efficiently utilises each network
(TCP) connection, as well as reducing the (time and processing) overhead of
setting-up and tearing-down of each of these required for parallelism under
HTTP/1.1.

<a id="5.2.0.0.1" href="#"></a>
<a id="5.2.isitallworthitnbspnbspasmightbeexpectedndashthatdepends" href="#"></a>
<a id="isitallworthitnbspnbspasmightbeexpectedndashthatdepends" href="#"></a>
<h5 class="head"><span class="text">Is it all worth it?&nbsp;&nbsp;As might be expected &ndash; that depends.</span></h5>

<p> There are a number of sufficiently good analyses of both the factors that
affect HTTP/2 performance and the actual performance relative to HTTP/1.1. See
the references section and search the Web.  This section contains some
observations made during WASD HTTP/2 development. All of these seem to
correspond with others' observations, as well as what might reasonably be
expected considering the strategies employed by the protocol.

<ul class="list">

<li class="item"> For simple request-response use cases (e.g. download a file) HTTP/2
makes no observable performance difference.

<li class="item"> Where multiple resources need to be loaded by a page the measurable
performance improvement is proportional to the number of resources and the
latency of the network.

<li class="item"> In a low-latency environment such as the average LAN (e.g. 5mS RTT)
HTTP/2 makes minimal  difference irrespective of the number of resources loaded
(until it reaches rediculous quantities).

<li class="item"> In a high-latency environment such as a VPN spanning half the globe
(e.g. 350mS RTT) HTTP/2 makes an obvious and of course measurable improvement
for anything other than a trivial number of resources. 

<li class="item"> On a CPU constrained system HTTP/1.<span class="high italic">n</span> is significantly more
responsive than HTTP/2.  This unsurprising considering the explicit
multiplexing and header marshalling employed by HTTP/2.

<li class="item"> On the developer's bench there is ~10% more CPU consumed for the same load
profile** via HTTP/2 compared to HTTP/1.1 for similar durations.  This is
(probably) due to header compression and multiplexed stream processing.  It is
(probably) offset (to some degree) by fewer resources consumed in the network
stack managing the multiple TCP connections of HTTP/1.1.

<p> As also related in <a class="link" href="#11.serverperformance">11. Server Performance</a>, using the same load profile
as above** and using HTTP/1.1, WASD v11.0 compared to v10.4 showed ~5%
additional CPU and duration.  This is (probably) largely due to dictionary
processing.

<p class="indent"> ** <span class="high italic">100 individual files, size 2kB to 250kB, 50 concurrent, ~30%
CPU utilisation (~5% USER mode, mostly INTERRUPT servicing), batched 10,000 at
a time over a LAN.</span>

</ul>

<div class="note">
<a id="5.2.0.0.2" href="#"></a>
<a id="5.2.ymmv" href="#"></a>
<a id="ymmv" href="#"></a>
<h5 class="head center"><span class="text">YMMV!</span></h5>
<hr class="note_hr">
After some months (and now years) accessing WASD HTTP/2 over various LANs and
WANs the developer, FWIW, can't shake the perception that it <span class="high italic">seems</span>
generally more responsive in the real world.  Yet interestingly &hellip;
<hr class="note_hr">
</div>

<a id="5.2.0.0.3" href="#"></a>
<a id="5.2.performanceassessment" href="#"></a>
<a id="performanceassessment" href="#"></a>
<h5 class="head"><span class="text">Performance Assessment</span></h5>

<p> As described in <a class="link blank" target="_blank" href="../config/#serverandsitetesting">Server and Site Testing</a> in <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>
the OWASP ZAP application is integral to WASD test and exercise.  It can
generate an intense stream of traffic via cleartext (port 80) or TLS (port
443).

<div class="drawing dfont draw indent">
<style>
.dhflip { display:inline-block;transform:rotate(180deg); }
.dvflip { display:inline-block;transform:rotate(-180deg); }
.dnoflip { display:inline-block;transform:rotate(360deg); }
.dfont { font-family:monospace;font-size:1em;line-height:0.9em;line-spacing:0em; }
</style>
&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;<br>
&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;HTTP/1.1&nbsp;clear&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<br>
&#x2502;&nbsp;OWASP&nbsp;ZAP&nbsp;&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;WASD&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<br>
&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;&#x2500;HTTP/1.1&nbsp;TLS&#x2500;&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<br>
&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;<br>
</div>


<p> Using the <span class="high italic">nghttpx</span> proxy utility (see reference below) it is also used to
exercise WASD's HTTP/2. 

<div class="drawing dfont draw indent">
&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;&nbsp;<br>
&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;HTTP/1.1&nbsp;clear&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<br>
&#x2502;&nbsp;OWASP&nbsp;ZAP&nbsp;&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;&nbsp;&nbsp;nghttpx&nbsp;&nbsp;&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;HTTP/2&nbsp;TLS&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;WASD&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<br>
&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;&#x2500;HTTP/1.1&nbsp;TLS&#x2500;&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2502;<br>
&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;<br>
</div>


<p> On the development bench Alpha PWS500 formal performance assessment using
this is disappointing <span class="high _frowny">&thinsp;</span>

<p> See <a class="link" href="#11.1.http2encrypted">&lsquo;HTTP/2 (encrypted)&rsquo; in 11.1 Simple File Request Turn-Around</a> in section <a class="link" href="#11.serverperformance">11. Server Performance</a>.

<p> This may just reflect the CPU capacity of the benchmark system and that all
requests are being transported through a single encrypted connection.

<a id="5.2.0.0.4" href="#"></a>
<a id="5.2.httpreport" href="#"></a>
<a id="httpreport" href="#"></a>
<h5 class="head"><span class="text">HTTP Report</span></h5>

<p> WASD keeps track of HTTP family statistics.

<p> After 3.8 million requests via OWASP ZAP using the above configuration over
a number of spider-generated scans, one third of which were HTTP/2, one third
over TLS HTTP/1.1, and another third cleartext HTTP/1.1, the following image
suggests requests using HTTP/2 take approximately 50% of HTTP/1.1.

<a class="imglink" target="_blank" href="./http_report.png"><img class="image" src="./http_report.png"></a>

<a id="5.2.0.0.5" href="#"></a>
<a id="5.2.otherassessment" href="#"></a>
<a id="otherassessment" href="#"></a>
<h5 class="head"><span class="text">Other Assessment</span></h5>

<p> The simplest tool for getting a <span class="high italic">feel</span> for, and elementary measurement of
HTTP/2 may be found in the <a class="link blank" target="_blank" href="/wasd_root/exercise/*.*">WASD_ROOT:[EXERCISE]</a>
directory.  The document DOTTY.HTML and its companion files provide a page that
loads a selectable number of resources (images) in a consistent and
reproducible manner.  This DOTTY.HTML can be accessed via unencrypted HTTP
(http://), encrypted HTTP (https://) and services configured to provide HTTP/2
or HTTP/1.1.   Using these combinations with the selectable volume of
resources, elementary comparisons may be made in target environments.

<p> The Server Admin, HTTP Report (<a class="link" href="#9.serveradministration">9. Server Administration</a>) contains
comparative duration and bytes-per-second minimum/maximum/average for total
server HTTP/2 and HTTP/1.<span class="high italic">n</span> requests.  These cannot simply be taken
at face value without some consideration of the respective load profile but
under controlled conditions can provide useful metrics.

<p> Other development and load/performance tools were employed from a Linux
platform.  For someone educated in computing during the (19)70s, the
availability of VM technology for such purposes is just brilliant!&nbsp;&nbsp;&nbsp;<span class="high italic">But you know, we were happy in those days, though we were poor.</span> 

<p> Indispensible were 

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/nghttp.1.html">https://nghttp2.org/documentation/nghttp.1.html</a>
<li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/h2load.1.html">https://nghttp2.org/documentation/h2load.1.html</a>
<li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/nghttpx.1.html">https://nghttp2.org/documentation/nghttpx.1.html</a>
<li class="item"> <a class="link blank" target="_blank" href="https://www.zaproxy.org">https://www.zaproxy.org</a>
</ul>

<p> Many thanks to the developer(s) of this package.

<a id="5.3" href="#"></a>
<a id="5.3.http2configuration" href="#"></a>
<a id="http2configuration" href="#"></a>
<h2 class="head"><span class="numb">5.3</span><span class="text">HTTP/2 Configuration</span></h2>

<p> While effectively transparent to the end-user, HTTP/2 has some aspects that
need to be carefully considered by the server administrator.

<ul class="list">

<li class="item"> The level of (request) concurrency suggested by RFC 7540 section 6.5.2
would likely  require redimensioning a web server and possibly the supporting
system.  Environments historically expecting per-client resource demand to be
limited by the number of concurrent (HTTP/1.<span class="high italic">n</span>) network connections
an agent will deploy per origin server, often limited to less than a dozen,
might behave entirely differently when presented with many dozens, or
potentially hundreds of requests.  WASD's default of 100 is the RFC
recommendation in part because browsers tend to open multiple connections
to maintain the parallelism sought, so a reduction in HTTP/2 stream
concurrency often just increases HTTP/2 connection concurrency.

<li class="item"> Secure HTTP requires a minimum of TLS 1.2 with SNI and ALPN (RFC 7540
section 9.2).

<li class="item"> The ciphers available for use with HTTP/2 secure HTTP are quite specific
(at least in what the RFC prohibits - RFC 7540 Appendix A).  This and the
overall encryption requirements for HTTP/2 can cause issues with established
(older) agents and with mainstream browsers strictly enforcing the RFC
definitions making support for combined /2-/1.1 services sometimes problematic.

<p> Use of elliptic curve ciphers (ECDHE), as an element of Perfect Forward
Security (PFS), is mandated for HTTP/2 (RFC 7540 section 9.2.2).  The keys for
the elliptic curve ciphers are stored in PEM-encoded files  ocated in
WASD_ROOT:[LOCAL].  These can be copied from the WASD OpenSSL package using

<div class="blockof code">&dollar; copy WASD_ROOT:[SRC.OPENSSL-<span class="high italic">n_n_n</span>.WASD.CERT]DH_PARAM_*.PEM WASD_ROOT:[LOCAL]
</div>

or locally generated as described in <a class="link" href="#4.5.5.forwardsecrecy">4.5.5 Forward Secrecy</a>. 

<p> This SSL configuration and minimum cipher list seems to work for all major
browsers at the time of writing:

<div class="blockof code"># WASD_CONFIG_GLOBAL
[SecureSocket]  enabled
[SSLversion]  TLSvall
[SSLoptions]  +OP_CIPHER_SERVER_PREFERENCE
[SSLcipherList] EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:-DSS:
</div>

<span class="high bold">YMMV!</span>

<li class="item"> TLS renegotiation (e.g. for a client certificate) must not be performed
on an HTTP/2 secure connection.  This precludes having selected paths perform
authorisation based on X509 and means that the service itself must request a
client certificate at connection establishment (RFC 7540 section 9.2.1).

<li class="item"> While the protocol provides for HTTP/2 using non-TLS (non-SSL)
connections the major browsers (Chrome, Edge (MSIE), FireFox, Safari) only
support it when using TLS.  To <span class="high italic">encourage</span> naive users to a TLS service the
following mapping rule approach may be used to redirect non-TLS home page
connections.

<div class="blockof code"># WASD_CONFIG_MAP
[[*:80]]
if (!ssl:) redirect / https:///
</div>

</ul>

<a id="5.3.1" href="#"></a>
<a id="5.3.1.globalconfiguration" href="#"></a>
<a id="globalconfiguration" href="#"></a>
<h3 class="head"><span class="numb">5.3.1</span><span class="text">Global Configuration</span></h3>

<p> HTTP/2 and its features are globally enabled and configured using
directives contained in the WASD_CONFIG_GLOBAL configuration file.

<a id="5.3.1.0.1" href="#"></a>
<a id="5.3.1.http2globalconfiguration" href="#"></a>
<a id="http2globalconfiguration" href="#"></a>
<h5 class="head"><span class="text">HTTP/2 Global Configuration</span></h5>

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Directive
<th class="tabh">Description
<th class="tabh right">Default
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">[Http2Protocol]
<td class="tabd">enabled or disabled on a whole-of-server basis
<td class="tabd right">disabled
<tr class="tabr">
<td class="tabd">[Http2FrameSizeMax]
<td class="tabd">maximum frame size in octets (bytes) the server
is prepared to receive
<td class="tabd right">16384
<tr class="tabr backlight">
<td class="tabd">[Http2HeaderListMax]
<td class="tabd">maximum number of octets (bytes) permitted in
a received header once uncompressed
<td class="tabd right">65535
<tr class="tabr">
<td class="tabd">[Http2HeaderTableMax]
<td class="tabd">maximum number of bytes permitted in the
server-end header cache
<td class="tabd right">4096
<tr class="tabr backlight">
<td class="tabd">[Http2PingSeconds]
<td class="tabd">number of seconds between connection RTT
pings
<td class="tabd right">300
<tr class="tabr">
<td class="tabd">[Http2StreamsMax]
<td class="tabd">maximum number of concurrent streams (requests)
the server permits on the connection
<td class="tabd right">32
<tr class="tabr backlight">
<td class="tabd">[Http2InitWindowSize]
<td class="tabd">initial window size (number of octets in
transit) for flow-control purposes
<td class="tabd right">6291456
</table>

<p> These largely reflect settings and defaults from RFC 7540 6.5.1

<ul class="list">
<li class="item"> The minimum frame size is defined by the RFC at 16384.
<li class="item"> WASD automatically pings a connection every configured seconds.  The
latest value is available as real-number milliseconds in dictionary entry
&quot;http2_ping&quot; and CGI variable HTTP2_PING.
</ul>

<a id="5.3.2" href="#"></a>
<a id="5.3.2.serviceconfiguration" href="#"></a>
<a id="serviceconfiguration" href="#"></a>
<h3 class="head"><span class="numb">5.3.2</span><span class="text">Service Configuration</span></h3>

<p> Using the WASD_CONFIG_SERVICE directive [ServiceHttp2Protocol] HTTP/2
may be disabled on a per-service basis.  The default is enabled if HTTP/2 is
enabled globally.

<a id="5.3.3" href="#"></a>
<a id="5.3.3.http2setrules" href="#"></a>
<a id="http2setrules" href="#"></a>
<h3 class="head"><span class="numb">5.3.3</span><span class="text">HTTP/2 Set Rules</span></h3>

<p> WASD request processing rules may be used on a per-path basis to modify
(some) global configuration settings and provide other WevDAV configuation. 
See <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Rule
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">HTTP2=PROTOCOL=1.1
<td class="tabd">send a &quot;HTTP_1_1_REQUIRED&quot; error
causing the client to use HTTP/1.1 (RFC 7540 section 7)
<tr class="tabr">
<td class="tabd">HTTP2=SEND=GOAWAY
<td class="tabd">send a &quot;GOAWAY&quot; frame to the client
resulting in it dropping the HTTP/2 connection
<tr class="tabr backlight">
<td class="tabd">HTTP2=SEND=PING
<td class="tabd">send a &quot;PING&quot; frame to the client
calculating the Round Trip Time (RTT) of the connection
<tr class="tabr">
<td class="tabd">HTTP2=SEND=RESET
<td class="tabd">send a &quot;RST_STREAM&quot; frame to the client 
causing it to drop the HTTP/2 stream (request in progress)
<tr class="tabr backlight">
<td class="tabd">HTTP2=STREAMS=MAX=<span class="high italic">integer</span>
<td class="tabd">set the maximum concurrent
streams on a per-path basis
<tr class="tabr">
<td class="tabd">HTTP2=WRITE=<span class="high italic">low&verbar;normal&verbar;high</span>
<td class="tabd">When request
data  is written it is queued at the specified priority, where high priority
are written before normal (default) and low priority, and normal priority
before low.  This is only for associated stream (request) and is not a
connection or whole-of-server prioritisation.
</table>

<p> Use path SETings to prioritise some resources (e.g. CSS and JavaScript)
over others (e.g. images) and potentially improve page rendering speed.  Where
multiple concurrent requests are being serviced on the one HTTP/2 connection
this will deliver the <span class="high italic">high</span>er priority content before others.

<div class="blockof code"># WASD_CONFIG_MAP
SET **.css http2=write=high
SET **.js  http2=write=high
</div>

<a id="5.4" href="#"></a>
<a id="5.4.http2detection" href="#"></a>
<a id="http2detection" href="#"></a>
<h2 class="head"><span class="numb">5.4</span><span class="text">HTTP/2 Detection</span></h2>

<p> A request using HTTP/2 may be detected during processing with the
<span class="high italic">http2:</span> conditional.

<div class="blockof code">if (http2:)
   <span class="high italic">do this</span>
endif
</div>

<p> See <a class="link blank" target="_blank" href="../config/#conditionalconfiguration">Conditional Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<p> A script may detect HTTP/2 using the REQUEST_PROTOCOL CGI variable with the
value &quot;HTTP/2&quot;.  Other protocol versions are similarly represented.

<p> A Server-Side Includes (SSI) document can use variations on the following
construct (and similar to the script suggestion immediately above) to detect
and process the request protocol.

<div class="blockof code">&lt;!--#if var={request_protocol} eqs=&quot;HTTP/2&quot; --&gt;
HTTP/2
&lt;!--#else--&gt;
HTTP/1.n
&lt;!--#endif--&gt;
</div>

This is demonstrated in the example SSI document:
<p class="indent"> <a class="link blank" target="_blank" href="/wasd_root/exercise/shtml.shtml">WASD_ROOT:[EXERCISE]SHTML.SHTML</a>

<p> At the time of writing there is no browser-supported mechanism for a dynamic
document (i.e. JavaScript) determining the underlying HTTP protocol used to
access a resource.  To access this information the server must be used.  The
suggested method, and the one employed by the DOTTY.HTML tool described above,
is to provide one JavaScript source for HTTP/2 and another for everything else.

<p> The document would contain

<div class="blockof code">&lt;script type=&quot;text/javascript&quot; src=&quot;/example-path/http.js&quot;&gt;&lt;/script&gt;
</div>

and the server configuration

<div class="blockof code"># WASD_CONFIG_MAP
if (http2:)
   map /example-path/http.js /example-path/http2.js
else
   map /example-path/http.js /example-path/http1.js
endif
</div>

where each contains a minimum variable setting or similar flag detectable by
the document.

<a id="5.5" href="#"></a>
<a id="5.5.http2references" href="#"></a>
<a id="http2references" href="#"></a>
<h2 class="head"><span class="numb">5.5</span><span class="text">HTTP/2 References</span></h2>

<p> The following provide a starting-point for investigating HTTP/2 (verified
available at time of publication).

<ul class="list">

<li class="item"> <a class="link blank" target="_blank" href="https://http2.github.io/">https://http2.github.io/</a>
<br> Home page for HTTP/2 maintained by the IETF HTTP Working Group.

<li class="item"> <a class="link blank" target="_blank" href="https://en.wikipedia.org/wiki/HTTP/2">https://en.wikipedia.org/wiki/HTTP/2</a>

<li class="item">  <a class="link blank" target="_blank" href="https://httpwg.github.io/specs/rfc7540.html">https://httpwg.github.io/specs/rfc7540.html</a>
<br> <a class="link blank" target="_blank" href="https://tools.ietf.org/html/rfc7540">https://tools.ietf.org/html/rfc7540</a>
<br> HTTP/2 specification

<li class="item">  <a class="link blank" target="_blank" href="https://httpwg.github.io/specs/rfc7541.html">https://httpwg.github.io/specs/rfc7541.html</a>
<br> <a class="link blank" target="_blank" href="https://tools.ietf.org/html/rfc7541">https://tools.ietf.org/html/rfc7541</a>
<br> HPACK (header compression) specification

<li class="item">  <a class="link blank" target="_blank" href="https://httpwg.github.io/specs/rfc7230.html">https://httpwg.github.io/specs/rfc7230.html</a>
<br> <a class="link blank" target="_blank" href="https://tools.ietf.org/html/rfc7230">https://tools.ietf.org/html/rfc7230</a>
<br> Most recent HTTP/1.1 specifications (30, 31, 32, 33, 34 and 35)

<li class="item"> <a class="link blank" target="_blank" href="http://http2-explained.haxx.se/">http://http2-explained.haxx.se/</a>
<br> Useful overview of HTTP/2 by the developer of cURL.

<li class="item"> <a class="link blank" target="_blank" href="https://hpbn.co/http2/">https://hpbn.co/http2/</a>
<br> Another useful and more detailed overview of the protocol.
<br> From the excellent <a class="link blank" target="_blank" href="https://hpbn.co/">https://hpbn.co/</a> 

<li class="item"> <a class="link blank" target="_blank" href="http://undertow.io/blog/2015/04/27/An-in-depth-overview-of-HTTP2.html">http://undertow.io/blog/2015/04/27/An-in-depth-overview-of-HTTP2.html</a>
<br> A concise and useful summary.

<li class="item"> <a class="link blank" target="_blank" href="https://blog.cloudflare.com/tools-for-debugging-testing-and-using-http-2/">https://blog.cloudflare.com/tools-for-debugging-testing-and-using-http-2/</a>
<br> Not much here for VMS but a useful survey nonetheless.

</ul>
<!-- source:0600_WEBDAV.WASDOC -->
<hr class="page">
<a id="6." href="#"></a>
<a id="6.webdav" href="#"></a>
<a id="webdav" href="#"></a>
<h1 class="head"><span class="numb">6.</span><span class="text">WebDAV</span></h1>

<div class="TOC2cols2" style="width:80%;max-width:80%;">
<table class="TOC2table">
<tr><td><a href="#6.1.httpmethodssupported"><span class="numb">6.1</span><span class="text">HTTP Methods Supported</span></a>
<tr><td><a href="#6.1.1.copyrestrictions"><span class="numb">6.1.1</span><span class="text">COPY Restrictions</span></a>
<tr><td><a href="#6.1.2.deleterestrictions"><span class="numb">6.1.2</span><span class="text">DELETE Restrictions</span></a>
<tr><td><a href="#6.1.3.moverestrictions"><span class="numb">6.1.3</span><span class="text">MOVE Restrictions</span></a>
<tr><td><a href="#6.1.4.ifrestrictions"><span class="numb">6.1.4</span><span class="text">If: Restrictions</span></a>
<tr><td><a href="#6.2.webdavconfiguration"><span class="numb">6.2</span><span class="text">WebDAV Configuration</span></a>
<tr><td><a href="#6.2.1.webdavsetrules"><span class="numb">6.2.1</span><span class="text">WebDAV Set Rules</span></a>
<tr><td><a href="#6.2.2.filenaming"><span class="numb">6.2.2</span><span class="text">File Naming</span></a>
<tr><td><a href="#6.2.3.filesystemaccess"><span class="numb">6.2.3</span><span class="text">File-system Access</span></a>
<tr><td><a href="#6.2.4.filesystemauthorisation"><span class="numb">6.2.4</span><span class="text">File-system Authorisation</span></a>
<tr><td><a href="#6.2.5.concurrentauthorisation"><span class="numb">6.2.5</span><span class="text">Concurrent Authorisation</span></a>
<tr><td><a href="#6.2.6.realworldexample"><span class="numb">6.2.6</span><span class="text">Real-World Example</span></a>
<tr><td><a href="#6.3.webdavmetadata"><span class="numb">6.3</span><span class="text">WebDAV Metadata</span></a>
<tr><td><a href="#6.4.webdavlocking"><span class="numb">6.4</span><span class="text">WebDAV Locking</span></a>
<tr><td><a href="#6.5.somewrinkles"><span class="numb">6.5</span><span class="text">Some Wrinkles</span></a>
<tr><td><a href="#6.5.1.osxfinder"><span class="numb">6.5.1</span><span class="text">OS X Finder</span></a>
<tr><td><a href="#6.5.2.gnomegvfsnautilus"><span class="numb">6.5.2</span><span class="text">Gnome/gvfs/Nautilus</span></a>
<tr><td><a href="#6.5.3.dreamweaver"><span class="numb">6.5.3</span><span class="text">Dreamweaver</span></a>
<tr><td><a href="#6.6.microsoftmiscellanea"><span class="numb">6.6</span><span class="text">Microsoft Miscellanea</span></a>
<tr><td><a href="#6.6.1.mapping"><span class="numb">6.6.1</span><span class="text">Mapping</span></a>
<tr><td><a href="#6.6.2.frontpageextensions"><span class="numb">6.6.2</span><span class="text">FrontPage Extensions</span></a>
<tr><td><a href="#6.6.3.avoidingmicrosoftpropertyclutter"><span class="numb">6.6.3</span><span class="text">Avoiding Microsoft Property Clutter</span></a>
<tr><td><a href="#6.6.4.optionsheaderquotmsauthorviadavquot"><span class="numb">6.6.4</span><span class="text">OPTIONS header &quot;MS-Author-Via: DAV&quot;</span></a>
<tr><td><a href="#6.6.5.repairingbrokenxpwebfolders"><span class="numb">6.6.5</span><span class="text">Repairing broken XP Web Folders</span></a>
<tr><td><a href="#6.6.6.addingaportnumbertothewebfolderaddress"><span class="numb">6.6.6</span><span class="text">Adding a port number to the webfolder-address</span></a>
<tr><td><a href="#6.6.7.addinganumbersignquotquottothewebfolderaddress"><span class="numb">6.6.7</span><span class="text">Adding a number-sign (&quot;#&quot;) to the webfolder-address</span></a>
<tr><td><a href="#6.6.8.forcewindowsxptousebasicauthentication"><span class="numb">6.6.8</span><span class="text">Force Windows XP to use Basic Authentication</span></a>
<tr><td><a href="#6.6.9.microsoftxpexplorerbasicauthentication"><span class="numb">6.6.9</span><span class="text">Microsoft XP Explorer BASIC Authentication</span></a>
<tr><td><a href="#6.6.10.microsoftwindows7basicauthentication"><span class="numb">6.6.10</span><span class="text">Microsoft Windows 7 BASIC Authentication</span></a>
<tr><td><a href="#6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved"><span class="numb">6.6.11</span><span class="text">Error 0x800700DF: The file size exceeds the limit allowed and cannot be saved</span></a>
<tr><td><a href="#6.7.references"><span class="numb">6.7</span><span class="text">References</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#5.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#7.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> Web-based Distributed Authoring and (not) Versioning for the WASD package.

<p> Effective WASD WebDAV file-space (without significant naming constraints)
relies on being hosted on ODS-5 volumes.  Behaviour hosting file-space on ODS-2
volumes is untested (though possible provided file naming is constrained to
ODS-2 conventions).

<p> WASD WebDAV methods and request headers, etc., are also propagated to the
scripting environment and so functionality may be implemented using CGI,
CGIplus or RTE based applications.

<p> WASD proxy-serving supports WebDAV methods, header fields, etc.

<p> Generally WebDAV clients are applications other than browsers and so
response  bodies with human-readable error explanations are unnecessary and
consume bandwidth to no good purpose, and so not provided.

<p> File-systems are notoriously latent components relative to the rest of the
system (more so with VMS).  Any operation to collections (directories) are not
going to be atomic and for large collections requiring many sub-operations the
potential for the process to be interrupted or otherwise disturbed are
enormous.  File-systems are not databases amenable to extensive ACID
operations.

<p> In addition each file under WebDAV management has the potential for an
associated but independent metadata file.  This of course means for every
DAV-specific resource file activity there is at least a file-system action to
check for a metadata file and for some actions such as COPY the potential for
an associated but entirely independent file operation.

<p> Of course WebDAV was not intended or designed as a general file-system
protocol  but one for distributed management of somewhat restricted collections
of Web-related resources and so in context probably works well enough.

<p> See sections below on file-system operation method restrictions.

<div class="note">
<a id="6.0.0.0.1" href="#"></a>
<a id="6.caution" href="#"></a>
<a id="caution" href="#"></a>
<h5 class="head center"><span class="text">Caution</span></h5>
<hr class="note_hr">
If using WebDAV in any serious fashion the likes of
<div class="blockof code">&dollar; HTTPD/DO=RESTART=NOW
</div>

<p> during server WebDav file-system modifications is a recipe for
inconsistency and/or corruption!
<hr class="note_hr">
</div>

<a id="6.1" href="#"></a>
<a id="6.1.httpmethodssupported" href="#"></a>
<a id="httpmethodssupported" href="#"></a>
<h2 class="head"><span class="numb">6.1</span><span class="text">HTTP Methods Supported</span></h2>

<p> A list of WebDAV methods, what WASD does with them, and any limitations or
restrictions.  Some of these are familiar HTTP/1.<span class="high italic">n</span> methods and other are
RFC 4981 specific.  Some of the HTTP/1.<span class="high italic">n</span> methods are overloaded with
additional or variant behaviours when used in a WebDAV context.  Issues of
atomicity with the manipulation of file-system trees containing numbers of
individual files makes strict RFC 4918 compliance difficult.  See
&quot;&hellip;Restrictions&quot; below.

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Method
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">COPY**
<td class="tabd">Reproduces both single resources (files) and collections (directory trees). 
Will overwrite files (if specified by the request) but will respond 209
(Conflict) if it would overwrite a tree.
<tr class="tabr">
<td class="tabd">DELETE**
<td class="tabd">deletes files and directory trees
<tr class="tabr backlight">
<td class="tabd">GET
<td class="tabd">just the vanilla HTTP/1.1 behaviour
<tr class="tabr">
<td class="tabd">HEAD
<td class="tabd">ditto
<tr class="tabr backlight">
<td class="tabd">LOCK**
<td class="tabd">see WEBDAV LOCKING below
<tr class="tabr">
<td class="tabd">MKCOL**
<td class="tabd">create a directory
<tr class="tabr backlight">
<td class="tabd">MOVE**
<td class="tabd">Moves (rename or copy) a file or a directory tree.  Will 'overwrite' files (if
specified by the request) but will respond 209 (Conflict) if it would overwrite
a tree.
<tr class="tabr">
<td class="tabd">OPTIONS
<td class="tabd">If WebDAV is enabled and available for the path this reports the WebDAV
extension methods
<tr class="tabr backlight">
<td class="tabd">PROPFIND**
<td class="tabd">Retrieves the requested file characteristics, DAV lock status and
'dead' properties for individual files, a directory and its child files, or a
directory tree.
<tr class="tabr">
<td class="tabd">PROPPATCH**
<td class="tabd">set and remove 'dead' meta-data properties
<tr class="tabr backlight">
<td class="tabd">PUT
<td class="tabd">Against a WebDAV resource behaves a little differently to historical
WASD implementation of PUT.
<tr class="tabr">
<td class="tabd">UNLOCK**
<td class="tabd">see WebDAV locking below
<tr class="tabr">
<td class="tabd">
<td class="tabd">**<span class="high italic">WebDAV RFC 4918 method</span>
</table>

<p> WASD Statistics Reports gather WebDAV related data.  Where a method can be
used both for vanilla HTTP/1.<span class="high italic">n</span> and WebDAV purposes it is counted in
WebDAV statistics if the request header contains some other indication of a
WebDAV activity.

<a id="6.1.1" href="#"></a>
<a id="6.1.1.copyrestrictions" href="#"></a>
<a id="copyrestrictions" href="#"></a>
<h3 class="head"><span class="numb">6.1.1</span><span class="text">COPY Restrictions</span></h3>

<p> Does not comply with the overwrite:T directive for collections (does so for
files).  Will not preemptively delete the existing tree.  It returns a 209
(Conflict) response instead.

<p> COPY does not maintain collection consistent URL namespace if a member
resource cannot be moved as required by RFC 4918.  It should maintain the
source subtree completely uncopied.  Instead it is best-effort and continues
copying resources until exhausted.  This is consistent with file-system
behaviour.  The RFC 4918 requirement, while not impossible, is fraught with
issues inside a file-system.

<a id="6.1.2" href="#"></a>
<a id="6.1.2.deleterestrictions" href="#"></a>
<a id="deleterestrictions" href="#"></a>
<h3 class="head"><span class="numb">6.1.2</span><span class="text">DELETE Restrictions</span></h3>

<p> Deletion of collections is particularly fraught with issues for a
file-system.  In userland it is almost impossible to predetermine if an
individual file in a directory tree is going to resist deletion (due to
locking, protections, etc) and in kernel land it's probably no easier.  It
leaves the undeleted tree hierachy (resource ancestors) intact. This is RFC
4918 compliant however!

<p> So, in the case of WASD WebDAV it's just best-effort and if something down
the  tree won't disappear, it just reports the failure in the 207 response and
carries merrily on through the tree regardless.  This IS acceptable WebDAV
server behaviour!

<a id="6.1.3" href="#"></a>
<a id="6.1.3.moverestrictions" href="#"></a>
<a id="moverestrictions" href="#"></a>
<h3 class="head"><span class="numb">6.1.3</span><span class="text">MOVE Restrictions</span></h3>

<p> Does not comply with the overwrite:T directive for collections (does so for
files).  Will not currently pre-emptively delete the existing tree.  It returns
a 209 (Conflict) response instead.

<p> MOVE first attempts to rename the file or directory.  This is reasonably
efficient, especially for directory trees but obviously only suitable for a
target on the same disk volume.  If a rename failure is due to a different
device it falls back to using a COPY then DELETE in two separate phases. 
Needless-to-say this is hardly atomic and can lead to inconsistencies between
source and target.

<p> MOVE does not maintain collection consistent URL namespace if a member
resource  cannot be moved as required by RFC 4918.  It should maintain the
source subtree unmoved.  Instead it is best-effort and continues moving
resources until exhausted.  This is consistent with file-system behaviour.  The
RFC 4918 requirement, while not impossible, is fraught with issues inside a
file-system.

<a id="6.1.4" href="#"></a>
<a id="6.1.4.ifrestrictions" href="#"></a>
<a id="ifrestrictions" href="#"></a>
<h3 class="head"><span class="numb">6.1.4</span><span class="text">If: Restrictions</span></h3>

<p> The conditional &quot;If:&quot; request header field does not have full RFC 4918
support.  It implements lock token and etag token processing with parenthetical
OR and NOT processing.  For unsupported features WATCH reports that the header
was not understood and always returns an abort status.  WebDAV &quot;If:&quot; processing
is an extrodinarily complex kludge for on-the-fly decision making by the server
and much of what I have read indicates most clients only ever use extremely
simple conditions anyway.

<a id="6.2" href="#"></a>
<a id="6.2.webdavconfiguration" href="#"></a>
<a id="webdavconfiguration" href="#"></a>
<h2 class="head"><span class="numb">6.2</span><span class="text">WebDAV Configuration</span></h2>

<p> WebDAV and its features are globally enabled and configured using
directives contained in the WASD_CONFIG_GLOBAL configuration file.

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Directive
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">[PutMaxKBytes]
<td class="tabd">maximum size of a file (PUT and POST)
<tr class="tabr">
<td class="tabd">[WebDAV]
<td class="tabd">This directive enables and disables WebDAV.
<tr class="tabr backlight">
<td class="tabd">[WebDAVlocking]
<td class="tabd">Enables and disables WebDAV locking.
<tr class="tabr">
<td class="tabd">[WebDAVlockTimeoutDefault]
<td class="tabd">see <a class="link" href="#6.4.lockingtimeout">&lsquo;Locking Timeout&rsquo; in 6.4 WebDAV Locking</a>
<tr class="tabr backlight">
<td class="tabd">[WebDAVlockTimeoutMax]
<td class="tabd">see <a class="link" href="#6.4.lockingtimeout">&lsquo;Locking Timeout&rsquo; in 6.4 WebDAV Locking</a>
<tr class="tabr">
<td class="tabd">[WebDAVlockCollectionDepth]
<td class="tabd">See <a class="link" href="#6.4.lockingdepth">&lsquo;Locking Depth&rsquo; in 6.4 WebDAV Locking</a>
<tr class="tabr backlight">
<td class="tabd">[WebDAVmetaDir]
<td class="tabd">see <a class="link" href="#6.3.webdavmetadata">6.3 WebDAV Metadata</a>
<tr class="tabr">
<td class="tabd">[WebDAVquota]
<td class="tabd">Enables and disables RFC 4331 functionality (disk quota
reporting).
</table>

<p> In addition these and other configurations are provided on a per-path basis
using mapping rules.

<a id="6.2.1" href="#"></a>
<a id="6.2.1.webdavsetrules" href="#"></a>
<a id="webdavsetrules" href="#"></a>
<h3 class="head"><span class="numb">6.2.1</span><span class="text">WebDAV Set Rules</span></h3>

<p> WASD request processing rules (see
<a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
may be used on a per-path basis to modify (some) global configuration settings
and provide other WevDAV configuation. 

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Rule
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">ODS=NAME=<span class="high italic">8BIT&verbar;UTF8&verbar;DEFAULT</span>
<td class="tabd">When a file is PUT
using WebDAV (or upload), for non-7bit ASCII file names use native ODS-5 8bit
syntax (default) or UTF-8 encoded character sequences (see <a class="link" href="#6.2.2.filenaming">6.2.2 File Naming</a>)
<tr class="tabr">
<td class="tabd">PUT=MAX=&lt;integer&gt; &verbar; *
<td class="tabd">Maximum number of kilobytes file
size, if &quot;*&quot; then effectively unlimited (per-path equivalent of the global
directive [PutMaxKBytes]).
<tr class="tabr backlight">
<td class="tabd">WEBDAV=[NO]HIDDEN
<td class="tabd">list (default) or hide U*x <span class="high italic">hidden</span>
files (i.e. those with names beginning with period)
<tr class="tabr">
<td class="tabd">WEBDAV=[NO]LOCK
<td class="tabd">allow/apply WebDAV locking to this path
<tr class="tabr backlight">
<td class="tabd">WEBDAV=[NO]PROFILE
<td class="tabd">WebDAV access according to SYSUAF profile
<tr class="tabr">
<td class="tabd">WEBDAV=[NO]PROP
<td class="tabd">allow/apply WebDAV 'dead' property(ies) to this path
<tr class="tabr backlight">
<td class="tabd">WEBDAV=[NO]PUT=LOCK
<td class="tabd">a resource must be locked before a PUT is allowed
<tr class="tabr">
<td class="tabd">WEBDAV=[NO]READ
<td class="tabd">WebDAV methods allowed read this tree
<tr class="tabr backlight">
<td class="tabd">WEBDAV=[NO]SERVER
<td class="tabd">WebDAV access as server account (best effort)
<tr class="tabr">
<td class="tabd">WEBDAV=[NO]WINPROP
<td class="tabd">when NOWINPROP windows properties are ignored and emulated
<tr class="tabr backlight">
<td class="tabd">WEBDAV=[NO]WRITE
<td class="tabd">WebDAV methods allowed write to this path (implied read)
<tr class="tabr">
<td class="tabd">WEBDAV=LOCK=TIMEOUT=DEFAULT=
<td class="tabd">hh:mm:ss
<tr class="tabr backlight">
<td class="tabd">WEBDAV=LOCK=TIMEOUT=MAX=
<td class="tabd">hh:mm:ss
<tr class="tabr">
<td class="tabd">WEBDAV=META=DIR=
<td class="tabd">per-path equivalent of global [WevbDAVmetaDir]
(see <a class="link" href="#6.3.webdavmetadata">6.3 WebDAV Metadata</a>)
</table>

<p> An essential function of the path setting rules is for specifying which
paths in server Web-space are allowed to be accessed using the WebDAV protocol
and what sort of access (read, write, etc.) that path is allowed.

<a id="6.2.2" href="#"></a>
<a id="6.2.2.filenaming" href="#"></a>
<a id="filenaming" href="#"></a>
<h3 class="head"><span class="numb">6.2.2</span><span class="text">File Naming</span></h3>

<p> By default files that are PUT via WebDAV (or upload) support the ISO Latin-1
character set.  ASCII and non-7-bit file names use the native ODS-5 syntax. 
Where character sets other than ISO Latin-1, or where compatibility with other
WebDAV implementations is desired (e.g. Apache), a path can be set to allow
file names supplied using UTF-8 sequences.

<p> For example, the English language word &quot;na&#239;ve&quot;, having a diaeresis
mark over the &quot;i&quot; character (indicating it is pronounced separately from the
preceding vowel) is commonly respresented using the 8 bit character 0xEF, or as
the two byte UTF-8 sequence 0xC3AF.  This word if used as the file name with a
type (extension) of &quot;.TXT&quot; by default would have the sequence of 8-bit
characters

<div class="blockof code">0x6E 0x61 0xEF 0x76 0x65 0x2e 0x54 0x58 0x54
</div>

and if the path had been set <span class="high italic">ods=name=utf8</span> the sequence would be

<div class="blockof code">0x6E 0x61 0xC3 0xAF 0x76 0x65 0x2E 0x54 0x58 0x54
</div>

<p> &quot;Index of&quot; (directory) listings will honour a path set <span class="high italic">ods=name=utf8</span> and
make the listing character set UTF-8 resulting in a browser correctly rendering
the name (WebDAV listings are by definition UTF-8).

<a id="6.2.2.0.1" href="#"></a>
<a id="6.2.2.filenameambiguity" href="#"></a>
<a id="filenameambiguity" href="#"></a>
<h5 class="head"><span class="text">File Name Ambiguity</span></h5>

<p> While files and directories created via WebDAV will have a consistent naming
schema applied those created by applications or manual operation on the VMS
system can result in files that are not accessible with WebDAV.

<p> For example the file name
<div class="blockof code">This^_is^_an^_EXAMPLE^.txt.;1
</div>
would be presented to the client as
<div class="blockof code">This is an EXAMPLE.txt
</div>
which when provided in a URL as
<div class="blockof code">This%20is%20an%20EXAMPLE.txt
</div>
and translated from that URL into the file specification
<div class="blockof code">This^_is^_an^_EXAMPLE.txt;1
</div>
of course will not be able to be accessed.

<p> In addition, the two files
<div class="blockof code">This^_is^_an^_EXAMPLE.txt;1
This^_is^_an^_EXAMPLE^.txt.;1
</div>
are distinct in the file-system, independently parsed from the directory
structure, would be presented to the client as consecutive entries having the
same name, with only the accessible file name actually available.
<div class="blockof code">This is an EXAMPLE.txt
This is an EXAMPLE.txt
</div>

<p> To avoid this situation a potentially ambiguous file name containing an
escaped period and no type (extension) is ignored by directory listings and
WebDAV  property lists.  When an ambiguous file name is detected it is reported
in WATCH reports.

<div class="note">
<a id="6.2.2.0.2" href="#"></a>
<a id="6.2.2.avoidquotinterestingquotfilenames" href="#"></a>
<a id="avoidquotinterestingquotfilenames" href="#"></a>
<h5 class="head center"><span class="text">Avoid &quot;Interesting&quot; File Names</span></h5>
<hr class="note_hr">
While most of these are corner-cases it is best to try and avoid
<span class="high italic">interesting</span> file names that can challenge the rather convoluted VMS
file-system environment.  Inaccessible file names cannot of course be deleted
or renamed via WebDAV and may result in directory (folder) deletion problems. 
These situations generally require manual intervention.
<hr class="note_hr">
</div>

<a id="6.2.3" href="#"></a>
<a id="6.2.3.filesystemaccess" href="#"></a>
<a id="filesystemaccess" href="#"></a>
<h3 class="head"><span class="numb">6.2.3</span><span class="text">File-system Access</span></h3>

<p> Is controlled using the mapping rules:

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Rule
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr">
<td class="tabd">WEBDAV=PROFILE
<td class="tabd">access using request SYSUAF-authenticated security
profile
<tr class="tabr">
<td class="tabd">WEBDAV=WRITE
<td class="tabd">unconditional permission to read/write
<tr class="tabr">
<td class="tabd">WEBDAV=READ
<td class="tabd">unconditional permission to read
<tr class="tabr">
<td class="tabd">WEBDAV=SERVER
<td class="tabd">access using server account permissions
</table>

<p> All access by WebDAV operations <span class="high bold">must have at least one set</span> against the 
path. If access is permitted by one of the above settings SYSPRV is enabled to
allow that access using the server account.  Therefore files and directories
should have a SYSTEM:READ+WRITE+EXECUTE+DELETE protection or equivalent ACL
permissions, or the access may fail totally or in some part of a supposedly
atomic action.

<p> These file-system access settings are applied in the order listed above. 
That  is, if a path successively has one or more of the above settings applied
during rule processing, when it comes to applying those access controls, SYSUAF
profile is applied, then if no profile SETing access to read/write, then to
read-only, then access via the server account. 

<p> In addition WebDAV access requires an authorisation rule against each path.

<a id="6.2.4" href="#"></a>
<a id="6.2.4.filesystemauthorisation" href="#"></a>
<a id="filesystemauthorisation" href="#"></a>
<h3 class="head"><span class="numb">6.2.4</span><span class="text">File-system Authorisation</span></h3>

<p> All access by WebDAV operations <span class="high bold">must have one set</span> against the path.

<p> All WebDAV access is a combination of WASD_CONFIG_MAP path setting and
WASD_CONFIG_AUTH authorisation permissions.  The least permissive of the two
overrides the more. The combination of an authorisation rule and a path mapping
rule mitigates the chance of opening unintended access into the file-system.

<p> These is the test-bench environment used during development:

<div class="blockof code"># WASD_CONFIG_MAP
pass  /dweb/*  /dweb/*  ods=5 webdav=write webdav=nowinprop

# WASD_CONFIG_AUTH
[&quot;KLAATU&quot;=WASD_VMS_RW=id]
/dweb/*  r+w
</div>

<p> Note that WebDAV read/write access is a combination of the mapping and the
authorisation rule (mapping WEBDAV=READ overrides authorisation read+write). 
Expect complications with Microsoft environments.

<p> For test-benching you could avoid authorisation issues completely with:

<div class="blockof code"># WASD_CONFIG_AUTH
[world]
/dweb/*  r+w
</div>

<a id="6.2.5" href="#"></a>
<a id="6.2.5.concurrentauthorisation" href="#"></a>
<a id="concurrentauthorisation" href="#"></a>
<h3 class="head"><span class="numb">6.2.5</span><span class="text">Concurrent Authorisation</span></h3>

<p> A common requirement is to provide concurrent general access and authorised
WebDAV acccess to the same Web-space.  This is accomplished by using two paths
mapped into the same file-system space, the general access (non-authorised)
path, and a WebDAV (authorised) path.  The WebDAV client uses the authorised
path and can then apply WebDAV methods to maintain the resources.

<div class="blockof code"># WASD_CONFIG_MAP
pass  /web/*    /web/*  ods=5
pass  /davweb/* /web/*  ods=5 webdav=profile webdav=nowinprop

# WASD_CONFIG_AUTH
[&quot;KLAATU&quot;=WASD_VMS_RW=id]
/davweb/*  r+w
</div>

<a id="6.2.6" href="#"></a>
<a id="6.2.6.realworldexample" href="#"></a>
<a id="realworldexample" href="#"></a>
<h3 class="head"><span class="numb">6.2.6</span><span class="text">Real-World Example</span></h3>

<p> The following configuration is taken from a site using WebDAV to allow users
to manage their Web presence.  The user mapping is a fairly standard
configuration for VMS accounts (see
<a class="link blank" target="_blank" href="../config/#Mapping User Directories (tilde character ("~"))">Mapping User Directories (tilde character ("~"))</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
User Web areas are in the [.WWW] subdirectory of the account home area.

<div class="blockof code"># WASD_CONFIG_MAP
# general and WebDAV access (order is important)

user  /~*/dav/* /*/www/*  webdav=profile notepad=webdav
user  /~*/dav   /*/www    webdav=profile notepad=webdav
if (pass:-1 &amp;&amp; notepad:webdav)  pass  /~*/dav/*  /d1/*/www/*
if (pass:-1 &amp;&amp; notepad:webdav)  pass  /~*/dav/*  /d2/*/www/*

user /~*/* /*/www/* dir=access
if (pass:-1)  pass  /~*/*  /d1/*/www/*
if (pass:-1)  pass  /~*/*  /d2/*/www/*
</div>

<p> The four WebDAV access rules are located before the three general user
access rules.  The WebDAV rules are more specific.  The first USER rule maps
subdirectories - and the parent if a trailing slash is included.  The second
USER rule maps the parent directory for user agents that do not include
trailing slash on their directory specifications (most it seems).

<p> The second pair of rules <span class="high italic">reverse-maps</span> the VMS file-system specifications
represented by the <span class="high italic">result</span> (right side) of the PASS rule into the path
represented by the <span class="high italic">template</span> (left side) of the PASS rule.  Mapping from
file-specifications to paths is necessary because of the way the PROPFIND
method searches the file-system and then reports its results to the client as
URLs.

<p> The use of the <span class="high italic">notepad</span> rule with a string of &quot;webdav&quot; (the actual string
is not significant as long as it is unique within the rules) is  used to
conditionally process the reverse-mapping rules.  They will be applied only to
the requests originally mapped by the USER rules.  The <span class="high italic">pass:-1</span> ensures the
rules are only applied during reverse-mapping, not during request mapping.

<p> The fifth rules maps general Web access to the user area.  Remember, web
access is to a user home subdirectory [.WWW].

<p> The sixth and seventh rules <span class="high italic">reverse-map</span> the VMS file-system
specifications for the general USER rules for similar reasons to those
described above.  Why two?  The user directories occur across two disk volumes
and so each must be reverse-mapped.

<div class="blockof code"># WASD_CONFIG_AUTH

[&quot;VMS username/password&quot;=WASD_VMS_RW=id]
/~*/dav/*  read+write,profile,https:
/~*/dav    read+write,profile,https:
</div>

<p> As noted above, WASD WebDAV requires both mapping and authorization rules
(even for &quot;world&quot; - or non-authenticated - access).

<p> In this case authorisation is only required for WebDAV access.  There are
two rules.  The first authorises subdirectories and parent directories for
agents that supply a trailing slash.  The second for agents that do not provide
a trailing slash.

<a id="6.2.6.0.1" href="#"></a>
<a id="6.2.6.whyusehellip" href="#"></a>
<a id="whyusehellip" href="#"></a>
<h5 class="head"><span class="text">Why use &hellip;</span></h5>

<p> &hellip; two rules for each location?  Why

<div class="blockof code">user  /~*/dav/*  /*/www/*
user  /~*/dav    /*/www
</div>
 rather than

<div class="blockof code">user  /~*/dav*    /*/www*
</div>

which would accomplish a <span class="high italic">similar</span> result?

<p> For finer control.  The first only matches requests with a path of
&quot;/~user/dav/subdir/&quot; and &quot;/~user/dav&quot;, whereas the latter matches
&quot;/~user/dav/subdir/&quot; and &quot;/~user/dav&quot; and 
&quot;/~user/david/&quot; and &quot;/~user/davros&quot;, etc.

<a id="6.3" href="#"></a>
<a id="6.3.webdavmetadata" href="#"></a>
<a id="webdavmetadata" href="#"></a>
<h2 class="head"><span class="numb">6.3</span><span class="text">WebDAV Metadata</span></h2>

<p> Metadata is data (information) about data.  WebDAV uses the concept of a
resource <span class="high italic">property</span>.  There are &quot;live&quot; properties and &quot;dead&quot; properties. 
Essentially the live properties are the dynamic characteristics of a
file-system object represented by creation and modification date-times, object
size, etc.  WebDAV dead properties are those supplied by WebDAV clients as XML
entities and stored associated with the particular WebDAV object, in WASD's
case the file-system object (file or directory).  WASD also uses the file
metadata to store resource lock data (see <a class="link" href="#6.4.webdavlocking">6.4 WebDAV Locking</a>).

<a id="6.3.0.0.1" href="#"></a>
<a id="6.3.metadatafiles" href="#"></a>
<a id="metadatafiles" href="#"></a>
<h5 class="head"><span class="text">Metadata Files</span></h5>

<p> WASD manages resource metadata using a separate file associated by name with
the data file.  This is done for reasons of programmatic simplicity and for the
convenience of any command-line owner or sysadmin of the resources.  No
specialised tools are required.  This metadata file can be stored in one of
three locations. 

<ol class="list">

<li class="item"> By default, WASD uses a metadata file in the same directory and the same
name with &quot;__wasdav&quot; appended to the extension (type).  All non-WebDAV
WASD functionality ignores &quot;*.*__wasdav;&quot; files (e.g. directory listing,
file GET).  Of course other applications (e.g. directory listing) do not.

<div class="blockof code">&dollar; DIRECTORY/SIZE/DATE 01234*.*

Directory WEB:[DAVweb]

01234^.56789.TXT;1    0.50KB   8-JUN-2009 23:07:19.26
01234^.56789.txt__wasdav;1
                         1KB  19-JUN-2009 03:20:34.50
0123456789.TXT;1      0.50KB   8-JUN-2009 23:06:59.16
0123456789.txt__wasdav;1
                         1KB  19-JUN-2009 03:19:14.67
</div>

<li class="item"> An alternate but still <span class="high italic">local</span> location, is in the WASD_CONFIG_GLOBAL
[WebDAVmetadir] globally specified, or per-path <span class="high italic">SET /path webdav=meta=dir</span>
directives.  If specified as a subdirectory the metadata file is stored in a
subdirectory of the data file directory using the same name with &quot;__wasdav&quot;
appended to the extension  (type).  This is owned by the owner of the parent
directory.  The metadata directory does not appear in WASD WebDAV or file
system listings.  Choose something unique as the name cannot be used elsewhere
in WebDAV space.

<p> For example, with the global directive

<div class="blockof code"># WASD_CONFIG_GLOBAL
[WebDAVmetaDir] [.^.dav]
</div>

specifying a subdirectory with a name containing a leading period (i.e. a
U*x <span class="high italic">hidden</span> file), the data files

<div class="blockof code">Directory WEB:[DAVweb]

01234^.56789.TXT;1    0.50KB   8-JUN-2009 23:07:19.26
0123456789.TXT;1      0.50KB   8-JUN-2009 23:06:59.16
</div>

would have the associated metadata files

<div class="blockof code">Directory WEB:[DAVweb.^.dav]

01234^.56789.txt__wasdav;1
                         1KB  19-JUN-2009 03:20:34.50
0123456789.txt__wasdav;1
                         1KB  19-JUN-2009 03:20:24.77
</div>

<li class="item"> The final alternative uses the same directives as above but specifies a
full directory path.  In this case WebDAV metadata is stored completely
separately from the data.  This can be anywhere in available file-space.  The
web server account requires full access to this directory, with the simplest
method of ensuring this to give ownership to the directory.  This global
location is only suitable for ODS-5 volumes.  Sixteen hexadecimal named
subdirectories are used to partition metadata files with file names generated
using data file full name escaped using extended parse syntax.  Using this
approach a sysadmin can easily locate specific metadata files if required.

<p> For example, with the global directive

<div class="blockof code"># WASD_CONFIG_GLOBAL
[WebDAVmetaDir] DKA0:[WASDAVMETA]
</div>

the data files

<div class="blockof code">Directory WEB:[DAVweb]

01234^.56789.TXT;1    0.50KB   8-JUN-2009 23:07:19.26
0123456789.TXT;1      0.50KB   8-JUN-2009 23:06:59.16
</div>

would have the associated metadata files

<div class="blockof code">Directory DKA0:[WASDAVMETA.06]

web^:^[davweb^]01234^.56789.txt__wasdav;1
                         1KB  19-JUN-2009 03:21:34.40
web^:^[davweb^]0123456789.txt__wasdav;1
                         1KB  19-JUN-2009 03:21:14.67
</div>

</ol>

<a id="6.3.0.0.2" href="#"></a>
<a id="6.3.directorymetadata" href="#"></a>
<a id="directorymetadata" href="#"></a>
<h5 class="head"><span class="text">Directory Metadata</span></h5>

<p> The metadata file associated with a directory is stored in the same metadata
location as files contained by that directory (not in the metadata location
associated with the parent directory that contains the directory file).  This
metadata file is named &quot;.DIR__wasdav&quot; (i.e. no name, just an extension), with
the following example illustrating how this would appear in each of the three
metadata locations, for a subdirectory named &quot;New Folder&quot;.

<div class="blockof code">WEB:[DAVweb.New^_Folder].DIR__wasdav;1
WEB:[DAVweb.New^_Folder.^.dav].DIR__wasdav;1
DKA0:[WASDAVMETA.06]web^:^[davweb^.new^_folder^].dir__wasdav;1
</div>

<a id="6.3.0.0.3" href="#"></a>
<a id="6.3.metadataxml" href="#"></a>
<a id="metadataxml" href="#"></a>
<h5 class="head"><span class="text">Metadata XML</span></h5>

<p> All metadata is stored using XML.  Multiple XML data can be contained in a
single metadata file.  Each can be individually manipulated by a WebDAV client. 
The property elements are stored as-supplied by the client.  It is presumed
that their XML well-formedness is guaranteed by the original request XML
parsing.  Metadata files have content similar to the following:

<div class="blockof code">&dollar; TYPE 0123456789.txt__wasdav;1
&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;WASDAV:data xmlns:WASDAV=&quot;WASD.VMS.WebDAV&quot;
updated=&quot;2009-06-18T17:49:14Z 19-JUN-2009 03:19:14&quot;&gt;
&lt;WASDAV:lock
token=&quot;opaquelocktoken:4D462D61B0E0427F19B425EBEEF2CFF6&quot;
depth=&quot;0&quot;
type=&quot;write&quot;
scope=&quot;exclusive&quot;
timeout=&quot;Second-86400&quot;
expires=&quot;2009-06-20T22:49:14Z 21-JUN-2009 08:19:14&quot;&gt;
&lt;WASDAV:owner&gt;&lt;NS:href xmlns:NS=&quot;DAV:&quot;&gt;MGD&lt;/NS:href&gt;&lt;/WASDAV:owner&gt;
&lt;/WASDAV:lock&gt;
&lt;WASDAV:prop&gt;
&lt;NS:one xmlns:NS=&quot;two&quot;&gt;three&lt;/NS:one&gt;
&lt;/WASDAV:prop&gt;
&lt;WASDAV:prop&gt;
&lt;NS:four xmlns:NS=&quot;five&quot;&gt;six&lt;/NS:four&gt;
&lt;/WASDAV:prop&gt;
&lt;WASDAV:prop&gt;
&lt;NS:seven xmlns:NS=&quot;eight&quot;&gt;nine&lt;/NS:seven&gt;
&lt;/WASDAV:prop&gt;
&lt;/WASDAV:data&gt;
</div>

<p> This metadata example contains four properties; an exclusive write lock
owned by &quot;MGD&quot; and three set by a client in three different (contrived)
namespaces.

<div class="note">
<a id="6.3.0.0.4" href="#"></a>
<a id="6.3.metadatashouldnotbeeditedmanually" href="#"></a>
<a id="metadatashouldnotbeeditedmanually" href="#"></a>
<h5 class="head center"><span class="text">Metadata should not be edited manually ...</span></h5>
<hr class="note_hr">
&hellip; unless you really, really know what you're doing.  WASD deletes meta-data
files it does not understand or otherwise considers damaged (with some
resultant loss of information).  Of  course you can, for example to remove a
lock on a resource, but you run the (small) risk of a &quot;lost-update&quot; and other
complications.  And, again of course, full metadata can be deleted at the
command-line.
<hr class="note_hr">
</div>

<a id="6.3.0.0.5" href="#"></a>
<a id="6.3.microsoftmetadata" href="#"></a>
<a id="microsoftmetadata" href="#"></a>
<h5 class="head"><span class="text">Microsoft Metadata</span></h5>

<p> An example of such property meta-data generated by a Microsoft Windows (not
Internet) Explorer client (example wrapped for presentation):

<div class="blockof code">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;WASDAV:data xmlns:WASDAV=&quot;WASD.VMS.WebDAV&quot;
updated=&quot;2007-07-23T01:39:11Z&quot;&gt;
&lt;WASDAV:prop&gt;
&lt;NS:Win32CreationTime xmlns:NS=&quot;urn:schemas-microsoft-com:&quot;&gt;
Tue, 26 Jun 2007 02:00:48 GMT&lt;/NS:Win32CreationTime&gt;
&lt;/WASDAV:prop&gt;
&lt;WASDAV:prop&gt;
&lt;NS:Win32LastAccessTime xmlns:NS=&quot;urn:schemas-microsoft-com:&quot;&gt;
Mon, 23 Jul 2007 01:52:32 GMT&lt;/NS:Win32LastAccessTime&gt;
&lt;/WASDAV:prop&gt;
&lt;WASDAV:prop&gt;
&lt;NS:Win32LastModifiedTime xmlns:NS=&quot;urn:schemas-microsoft-com:&quot;&gt;
Mon, 23 Jul 2007 01:52:32 GMT&lt;/NS:Win32LastModifiedTime&gt;
&lt;/WASDAV:prop&gt;
&lt;WASDAV:prop&gt;
&lt;NS:Win32FileAttributes xmlns:NS=&quot;urn:schemas-microsoft-com:&quot;&gt;
00000020&lt;/NS:Win32FileAttributes&gt;
&lt;/WASDAV:prop&gt;
&lt;/WASDAV:data&gt;
</div>

<p> Every file written or modified by <span class="high italic">Windows Explorer</span> generates this sort
of metadata which is then stored in an associated metadata file and read each
time the data file is accessed.  Some might consider this unnecessary clutter
in most circumstances (I do).  WASD allows this metadata to be suppressed and
equivalent data generated (fudged) from file <span class="high italic">live</span> properties when accessed
- often sufficient for purpose.  To suppress the actual processing of <span class="high italic">Windows
Explorer</span> metadata set a path using the WEBDAV=NOWINPROP in WASD_CONFIG_MAP.

<div class="blockof code">set /webdav/* webdav=NOwinprop
</div>

<a id="6.4" href="#"></a>
<a id="6.4.webdavlocking" href="#"></a>
<a id="webdavlocking" href="#"></a>
<h2 class="head"><span class="numb">6.4</span><span class="text">WebDAV Locking</span></h2>

<p> For efficiency and functionality considerations WebDAV locking may be
enabled and disabled (default) as global functionality using the
WASD_CONFIG_GLOBAL [WebDAVlocking] directive.  Additionally the
WEBVDAV=[NO]LOCKING path SETing can configure this on a per-path basis.

<a id="6.4.0.0.1" href="#"></a>
<a id="6.4.writeaccessonly" href="#"></a>
<a id="writeaccessonly" href="#"></a>
<h5 class="head"><span class="text">Write Access Only</span></h5>

<p> In common with RFC 4918 WASD WebDAV locking controls only write access.
Both exclusive and shared locks are provided.  Locking applies to the DELETE,
LOCK, MKCOL, MOVE, PROPPATCH, PUT, and UNLOCK methods.

<a id="6.4.0.0.2" href="#"></a>
<a id="6.4.lockingdepth" href="#"></a>
<a id="lockingdepth" href="#"></a>
<h5 class="head"><span class="text">Locking Depth</span></h5>

<p> WASD WebDAV locking checks parent collections to a configurable depth. 
WASD_CONFIG_GLOBAL directive [WebDAVlockCollectionDepth] where the default (0
or 1) checks only WebDAV locking on files, 2 WebDAV locking on the parent
directory, 3 on the grandparent, 4 the great-grandparent, etc.  Of course each
level can add significant latency (and expense) to some operations.

<div class="note">
<a id="6.4.0.0.3" href="#"></a>
<a id="6.4.lockdepth0" href="#"></a>
<a id="lockdepth0" href="#"></a>
<h5 class="head center"><span class="text">Lock Depth 0</span></h5>
<hr class="note_hr">
Real world experience has suggested locking depth should be maintained at the
default 0 (or 1), allowing the client explicitly to manage and negotiate
hierarchies of locking if required.  WebDAV  clients (probably correctly)
assume a minimally compliant and relatively unsophisticated WebDAV server.
<hr class="note_hr">
</div>

<p> For more information on locking operation and implementation details see
the DAVLOCK.C module and for meta-data in general the DAVMETA.C module.

<a id="6.4.0.0.4" href="#"></a>
<a id="6.4.lockingtimeout" href="#"></a>
<a id="lockingtimeout" href="#"></a>
<h5 class="head"><span class="text">Locking Timeout</span></h5>

<p> When a client locks a resource it can specify the period for the lock.  In
the absence of such a specification WASD will apply the
[WebDAVlockTimeoutDefault] value (by default 0-01:00:00 - one hour).  WASD also
applies the [WebDAVlockTimeoutMax] maximum lock period (by default 7-00:00:00 -
one week).  When the maximum period expires the lock is no longer valid.

<a id="6.4.0.0.5" href="#"></a>
<a id="6.4.vmsdlmlocking" href="#"></a>
<a id="vmsdlmlocking" href="#"></a>
<h5 class="head"><span class="text">VMS DLM Locking</span></h5>

<p> WASD uses VMS locking to queue and arbitrate access to WebDAV resources
and meta-files.

<p> Two lock modes are employed; 'exclusive', when changes are to be made to the
resource or its meta-data, and 'concurrent read', when resource and/or
meta-data are only to be read.  Concurrent read locks are compatible, but an
exclusive queued against a resource currently being read waits, as does a read
against a current exclusive.

<p> WASD takes out its own VMS DLM locks on resources (files and directories)
before beginning any WebDAV operation, and these prevent conflict with other
WASD WebDAV operations on the same system or cluster, but RMS does not use
these nor does WASD use RMS locks (except when actually acessing the
file-system of course), and so there is potential for interactions between the
two domains (in common with general file-system actvities).  WASD WebDAV
deliberately does not try to block file-system actions from other processing
(except where RMS locks/blocks).  Its own DLM locking is purely for internal
purposes.

<a id="6.5" href="#"></a>
<a id="6.5.somewrinkles" href="#"></a>
<a id="somewrinkles" href="#"></a>
<h2 class="head"><span class="numb">6.5</span><span class="text">Some Wrinkles</span></h2>

<p> Some application/environment-specific considerations when using WASD WebDAV. 
Please report any you encounter for future inclusion in this section.  Also see
<a class="link" href="#6.6.microsoftmiscellanea">6.6 Microsoft Miscellanea</a> immediately below.

<a id="6.5.1" href="#"></a>
<a id="6.5.1.osxfinder" href="#"></a>
<a id="osxfinder" href="#"></a>
<h3 class="head"><span class="numb">6.5.1</span><span class="text">OS X Finder</span></h3>

<p> OS X Finder requires [WebDAVlocking] enabled for read/write access,
otherwise access will be read-only.

<a id="6.5.2" href="#"></a>
<a id="6.5.2.gnomegvfsnautilus" href="#"></a>
<a id="gnomegvfsnautilus" href="#"></a>
<h3 class="head"><span class="numb">6.5.2</span><span class="text">Gnome/gvfs/Nautilus</span></h3>

<br>As at publication, <span class="high italic">Gnome/gvfs/Nautilus</span> has quite a number of behavioural
problems with associated Bugzilla items.  Don't expect it to behave well!  This
has been my experience.

<a id="6.5.3" href="#"></a>
<a id="6.5.3.dreamweaver" href="#"></a>
<a id="dreamweaver" href="#"></a>
<h3 class="head"><span class="numb">6.5.3</span><span class="text">Dreamweaver</span></h3>

<p> Dreamwever 8 (at least, the only version I have access to) insists on using
a URI with a trailing &quot;/./&quot; occasionally (I'm guessing to specify the &quot;current&quot;
directory - cf.  &quot;/../&quot;, or &quot;parent&quot; syntax).  Just absorb this internally
using an appropriate mapping internal redirect.

<div class="blockof code">redirect /webdav/**/./ /webdav/*/
</div>

<a id="6.6" href="#"></a>
<a id="6.6.microsoftmiscellanea" href="#"></a>
<a id="microsoftmiscellanea" href="#"></a>
<h2 class="head"><span class="numb">6.6</span><span class="text">Microsoft Miscellanea</span></h2>

<p> A cornucopia of of minor and major considerations!

<div class="note">
<a id="6.6.0.0.1" href="#"></a>
<a id="6.6.muchofthisisprewindows10" href="#"></a>
<a id="muchofthisisprewindows10" href="#"></a>
<h5 class="head center"><span class="text">much of this is pre- Windows 10</span></h5>
<hr class="note_hr"> 
and relates to Windows 7, Windows XP and possibly earlier.  Windows 10 and
WebDAV behaviour is very much an unknown quantity.  The following information
continues to be included for historical reference only.
<hr class="note_hr">
</div>

<p> Microsoft approach WebDAV in their own inimitable fashion.  Hence Microsoft
agents, considering their ubiquity, including their mini-redirector are
specifically looked for and functionality modified to accomodate them.

<p> The following is a list topics/issues that were encountered/investigated
during WASD WebDAV development.  They may or may not be applicable to your
site.

<p> Some general references:

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="http://greenbytes.de/tech/webdav/webdav-redirector-list.html">http://greenbytes.de/tech/webdav/webdav-redirector-list.html</a>
<li class="item"> <a class="link blank" target="_blank" href="http://greenbytes.de/tech/webdav/webfolder-client-list.html">http://greenbytes.de/tech/webdav/webfolder-client-list.html</a>
<li class="item"> <a class="link blank" target="_blank" href="http://www.zorched.net/2006/03/01/more-webdav-tips-tricks-and-bugs/">http://www.zorched.net/2006/03/01/more-webdav-tips-tricks-and-bugs/</a>
<li class="item"> <a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/documentation/troubleshooting">http://www.webdavsystem.com/server/documentation/troubleshooting</a>
<li class="item"> <a class="link blank" target="_blank" href="http://www.webdavsystem.com/documentation/troubleshooting">http://www.webdavsystem.com/documentation/troubleshooting</a>
<li class="item"> <a class="link blank" target="_blank" href="http://code.google.com/p/sabredav/wiki/Windows">http://code.google.com/p/sabredav/wiki/Windows</a>
<li class="item"> <a class="link blank" target="_blank" href="http://ulihansen.kicks-ass.net/aero/webdav/">http://ulihansen.kicks-ass.net/aero/webdav/</a>
<li class="item"> <a class="link blank" target="_blank" href="http://chapters.marssociety.org/webdav/">http://chapters.marssociety.org/webdav/</a>
</ul>

<p> DOS/Windows command-line network configuration:

<div class="blockof code">C:\&gt; NET USE Z: http://the.host.name/folder/
C:\&gt; NET USE Z: /DELETE
</div>

<a id="6.6.1" href="#"></a>
<a id="6.6.1.mapping" href="#"></a>
<a id="mapping" href="#"></a>
<h3 class="head"><span class="numb">6.6.1</span><span class="text">Mapping</span></h3>

<p> Microsoft agents (at least) seem to request the server OPTIONS of the server
root regardless of any path provided with the NET USE or other network drive
mapping employed.  To selectively map such a request into a path that has
WebDAV enabled on it (and will therefore respond with the DAV-related options)
use a conditional redirect rule.  For example

<div class="blockof code">if (webdav:)
   if (request-method:OPTIONS) redirect / /dav-path/
endif
</div>

or if only required for MS agents then something more specific

<div class="blockof code">if (webdav:MSagent)
   if (request-method:OPTIONS) redirect / /dav-path/
endif
</div>

<p> Subsequent rules will probably be required to map typeless directory
requests to the actual directory required.

<div class="blockof code">redirect /dav-path /dav-path/
pass /dav-path/* /dav_root/* webdav=read
</div>

<a id="6.6.2" href="#"></a>
<a id="6.6.2.frontpageextensions" href="#"></a>
<a id="frontpageextensions" href="#"></a>
<h3 class="head"><span class="numb">6.6.2</span><span class="text">FrontPage Extensions</span></h3>

<p> Requests containing paths /_vti_inf.html and /_vti_bin/* are related to
FrontPage protocol discovery probing.  They can be adequately handled using a
mapping rule lsuch as the following:

<div class="blockof code">pass /_vti_* &quot;404 Not an MS platform!&quot;
</div>

<a id="6.6.3" href="#"></a>
<a id="6.6.3.avoidingmicrosoftpropertyclutter" href="#"></a>
<a id="avoidingmicrosoftpropertyclutter" href="#"></a>
<h3 class="head"><span class="numb">6.6.3</span><span class="text">Avoiding Microsoft Property Clutter</span></h3>

<p> See <a class="link" href="#6.3.microsoftmetadata">&lsquo;Microsoft Metadata&rsquo; in 6.3 WebDAV Metadata</a>.

<a id="6.6.4" href="#"></a>
<a id="6.6.4.optionsheaderquotmsauthorviadavquot" href="#"></a>
<a id="optionsheaderquotmsauthorviadavquot" href="#"></a>
<h3 class="head"><span class="numb">6.6.4</span><span class="text">OPTIONS header &quot;MS-Author-Via: DAV&quot;</span></h3>

<ul class="list simple">
<li class="item"> <a class="link blank" target="_blank" href="http://msdn2.microsoft.com/en-us/library/ms691698.aspx">http://msdn2.microsoft.com/en-us/library/ms691698.aspx</a>
</ul>

<p> If the server's response does not contain an MS-Author-Via header, the OLE
DB  Provider for Internet Publishing loads the WEC and WebDAV protocol drivers
one at a time (WEC first, WebDAV second) and asks them, &quot;Do you know how to
handle this URL?&quot;, specifying the exact URL passed in by the client. The first
protocol which responds &quot;yes&quot; is selected. If neither protocol driver responds
&quot;yes&quot; then the method which triggered the automatic driver selection (usually
IBindResource::Bind) fails with an OLE DB Provider for Internet Publishing
specific error code IPP_E_SERVERTYPE_NOT_SUPPORTED.

<a id="6.6.5" href="#"></a>
<a id="6.6.5.repairingbrokenxpwebfolders" href="#"></a>
<a id="repairingbrokenxpwebfolders" href="#"></a>
<h3 class="head"><span class="numb">6.6.5</span><span class="text">Repairing broken XP Web Folders</span></h3>

<ul class="list simple">
<li class="item"> <a class="link blank" target="_blank" href="http://chapters.marssociety.org/webdav/">http://chapters.marssociety.org/webdav/</a>
</ul>

<p> Some Windows XP machines have a broken Web Folders installation. Microsoft
includes a Web Folders repair utility built in to Windows to correct the
problem. Use the following steps to fix the problem:

<ol class="list">
<li class="item"> Click on the &quot;Start&quot; menu in the lower left corner, and select &quot;Run...&quot;
<li class="item"> Type in &quot;webfldrs.msi&quot; and click the &quot;OK&quot; button.
<li class="item"> Click on the &quot;Select reinstall mode&quot; button.
<li class="item"> Select *ALL* of the checkboxes *except* for the second one
(&quot;Reinstall only if file is missing&quot;).
<li class="item"> Click on the &quot;OK&quot; button.
<li class="item"> Click on the &quot;Reinstall&quot; button.
<li class="item"> After the reinstallation is complete, reboot the computer.
</ol>

<a id="6.6.6" href="#"></a>
<a id="6.6.6.addingaportnumbertothewebfolderaddress" href="#"></a>
<a id="addingaportnumbertothewebfolderaddress" href="#"></a>
<h3 class="head"><span class="numb">6.6.6</span><span class="text">Adding a port number to the webfolder-address</span></h3>

<p> Attach the port-number (80 by default) to the http-address you enter into
the field of the &quot;My Network Places&quot;-assistant.  As you can see in the
following image and the linked screenshot, this will force Windows XP to use
the &quot;Microsoft Data Access Internet Publishing Provider DAV 1.1&quot; mechanism
instead of &quot;Microsoft-WebDAV-MiniRedir/5.1.2600&quot;.

<a id="6.6.7" href="#"></a>
<a id="6.6.7.addinganumbersignquotquottothewebfolderaddress" href="#"></a>
<a id="addinganumbersignquotquottothewebfolderaddress" href="#"></a>
<h3 class="head"><span class="numb">6.6.7</span><span class="text">Adding a number-sign (&quot;#&quot;) to the webfolder-address</span></h3>

<p> It is also possible to add the number sign # to the http-address you enter
into  the field of the &quot;My Network Places&quot;-assistant.  As you can see in the
following image and the linked screenshot, this will also force Windows XP to
use the &quot;Microsoft Data Access Internet Publishing Provider DAV 1.1&quot; mechanism
instead of &quot;Microsoft-WebDAV-MiniRedir/5.1.2600&quot;.

<div class="blockof code">http://the.host.name/folder#
</div>

<a id="6.6.8" href="#"></a>
<a id="6.6.8.forcewindowsxptousebasicauthentication" href="#"></a>
<a id="forcewindowsxptousebasicauthentication" href="#"></a>
<h3 class="head"><span class="numb">6.6.8</span><span class="text">Force Windows XP to use Basic Authentication</span></h3>

<p> There is a third way to get this working from the client-site.  As described
in  the Microsoft Knowledge Base, Article ID: 841215, Windows XP disables
&quot;Basic Auth&quot; in his &quot;Microsoft-WebDAV-MiniRedir/5.1.2600&quot;-mechanism by default
for security reasons.  See description below.

<a id="6.6.9" href="#"></a>
<a id="6.6.9.microsoftxpexplorerbasicauthentication" href="#"></a>
<a id="microsoftxpexplorerbasicauthentication" href="#"></a>
<h3 class="head"><span class="numb">6.6.9</span><span class="text">Microsoft XP Explorer BASIC Authentication</span></h3>

<ul class="list simple">
<li class="item"> <a class="link blank" target="_blank" href="http://www.microsoft.com/technet/prodtechnol/winxppro/\maintain/sp2netwk.mspx">http://www.microsoft.com/technet/prodtechnol/winxppro/\maintain/sp2netwk.mspx</a>
</ul>

<p> You can enable BasicAuth by adding the following registry key and setting
it to a non-zero value:

<div class="blockof code">HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\WebClient\Parameters\UseBasicAuth (DWORD)
</div>

<p> If you delete the registry key or set it to 0, the behavior reverts to the
default, or disabling the use of BasicAuth.

<p> Disabling Basic Authentication over a clear channel:

<p> Because the DAVRdr is part of the remote file-system stack, a computer is
open to attack whenever an attempt is made to remotely access files. Although
the threat to other applications that use the Internet APIs is less severe than
it is for the DAVRdr, a similar attack is possible whenever an application (or
the user) attempts to access a URL. For this reason, WinInet is exposing the
mechanism by which the DAVRdr disables BasicAuth to other users of the Internet
APIs.

<p> With Windows XP Service Pack 2, there are two ways to block the use of
Basic Authentication over clear (or unencrypted) channels:
	
<p> Create the following registry key and set it to a non-zero value.

<div class="blockof code">HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\InternetSettings\DisableBasicOverClearChannel (DWORD)
</div>

<p> This prevents WININET from attempting to use BasicAuth unless the channel
is secured (HTTPS or SSL).
	
<p> The application can disable the use of BasicAuth for its connections by
setting the AUTH_FLAG_DISABLE_BASIC_CLEARCHANNEL flag (0x4) in the value
supplied in the call to InternetSetOption using INTERNET_OPTION_AUTH_FLAGS.

<p> <span class="high bold"> AND THEN RESTART WINDOWS ***</span>

<a id="6.6.10" href="#"></a>
<a id="6.6.10.microsoftwindows7basicauthentication" href="#"></a>
<a id="microsoftwindows7basicauthentication" href="#"></a>
<h3 class="head"><span class="numb">6.6.10</span><span class="text">Microsoft Windows 7 BASIC Authentication</span></h3>

<p> You can enable BasicAuth by setting the following registry key to the value
3 and restarting the WebClient service:

<div class="blockof code">HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\WebClient\Parameters\BasicAuthLevel (DWORD)
</div>

<a id="6.6.11" href="#"></a>
<a id="6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved" href="#"></a>
<a id="error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved" href="#"></a>
<h3 class="head"><span class="numb">6.6.11</span><span class="text">Error 0x800700DF: The file size exceeds the limit allowed and cannot be saved</span></h3>

<p> &quot;In my case I try to copy file over WEBDAV to WEB Client connection e.g. I have
mapped drive to web site. file is about 70MB I can copy small files from the
same WEBDav folder.&quot;

<div class="blockof code">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters
</div>

<ol class="list">
<li class="item"> Right click on the FileSizeLimitInBytes and click Modify
<li class="item"> Click on Decimal
<li class="item"> In the Value data box, type 4294967295, and then click OK. Note this 
sets the maximum you can download from the Webdav to 4 gig at one time, I
havent figured out how to make it unlimited so if you want to download more you
need to split it up.
</ol>

<ul class="list simple">
<li class="item"> <a class="link blank" target="_blank" href="http://social.answers.microsoft.com\/Forums/en/xphardware/thread/d208bba6-920c-4639-bd45-f345f462934f">http://social.answers.microsoft.com\/Forums/en/xphardware/thread/d208bba6-920c-4639-bd45-f345f462934f</a>
</ul>

<a id="6.7" href="#"></a>
<a id="6.7.references" href="#"></a>
<a id="references" href="#"></a>
<h2 class="head"><span class="numb">6.7</span><span class="text">References</span></h2>

<p> These are the resources used during WASD WebDAV development.

<ul class="list">

<li class="item"> WebDAV in general:

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="http://webdav.org/">http://webdav.org/</a>
<li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Webdav">http://en.wikipedia.org/wiki/Webdav</a>
<li class="item"> <a class="link blank" target="_blank" href="http://tools.ietf.org/html/rfc4918">http://tools.ietf.org/html/rfc4918</a>
<li class="item"> <a class="link blank" target="_blank" href="http://tools.ietf.org/html/rfc4331">http://tools.ietf.org/html/rfc4331</a> (quota)
<li class="item"> <a class="link blank" target="_blank" href="http://tools.ietf.org/html/rfc2518">http://tools.ietf.org/html/rfc2518</a> (obsoleted by RFC 4918)
</ul>

<li class="item"> WebDAV: Next-Generation Collaborative Web Authoring
<br>Lisa Dusseault, 2003  ISBN: 0130652083

<li class="item"> Using Expat by Clark Cooper:

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Expat_(XML)">http://en.wikipedia.org/wiki/Expat_(XML)</a>
<li class="item"> <a class="link blank" target="_blank" href="http://www.xml.com/pub/a/1999/09/expat/index.html">http://www.xml.com/pub/a/1999/09/expat/index.html</a>
<li class="item"> <a class="link blank" target="_blank" href="http://www.xml.com/lpt/a/47">http://www.xml.com/lpt/a/47</a>
</ul>

</ul>

<a id="6.7.0.0.1" href="#"></a>
<a id="6.7.clienttools" href="#"></a>
<a id="clienttools" href="#"></a>
<h5 class="head"><span class="text">Client Tools</span></h5>

<p> All these have been used during WASD WebDAV development.

<ul class="list">

<li class="item">A comprehensive but not exhaustive list
<br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/">http://www.webdavsystem.com/server/access/</a>
<br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/clients_comparison">http://www.webdavsystem.com/server/access/clients_comparison</a>

<li class="item">DAVExplorer - a Java-based GUI Explorer-style file navigation tool
<br><a class="link blank" target="_blank" href="http://www.davexplorer.org/">http://www.davexplorer.org/</a>

<li class="item">cadaver - a command-line WebDAV client for *x
<br><a class="link blank" target="_blank" href="http://www.webdav.org/cadaver/">http://www.webdav.org/cadaver/</a>

<li class="item">davfs2 - a mountable WebDAV file-system for Linux
<br><a class="link blank" target="_blank" href="http://savannah.nongnu.org/projects/davfs2">http://savannah.nongnu.org/projects/davfs2</a>

<li class="item">The WebDAV URL handling of KDE 4.2 Dolphin (v1.2)
<br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/konqueror">http://www.webdavsystem.com/server/access/konqueror</a>  (yup, I know!)
<br>In contrast to Gnome as reported below, KDE and its KIO/Dolphin behave
extrordinarily well.

<li class="item">The WebDAV URL handling of Gnome Nautilus (2.26.2, gvfs/1.2.2)
<br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/gnome_nautilus">http://www.webdavsystem.com/server/access/gnome_nautilus</a>
<br>As at publication, <span class="high bold">Gnome/gvfs/Nautilus has quite a number of
behavioural problems</span> with associated Bugzilla items.  Don't expect it
to behave reasonably!

<li class="item">The WebDAV handling of Apple Mac macOS X Finder
<br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/macosx">http://www.webdavsystem.com/server/access/macosx</a>

<li class="item">Windows Explorer - and the associated mini-director, et.al., on XP (not Vista).
<br>See  below.

<li class="item">Another Windows option - try before you buy (i.e. commercial product).
<br>&quot;WebDrive is more than just an FTP Client.&quot; Indeed! It's
functional WebDAV drive-letter client.
<br><a class="link blank" target="_blank" href="http://www.webdrive.com/">http://www.webdrive.com/</a>

<li class="item"> <span class="high bold">And if you really need effective WebDAV on a Windows platform ...</span>
<br>&quot;BitKinex integrates the fuctionality of an innovative FTP, SFTP
and WebDAV client for Windows.&quot;
<br><span class="high bold">And it's FREEWARE!</span>
<br><a class="link blank" target="_blank" href="http://www.bitkinex.com/">http://www.bitkinex.com/</a>

</ul>

<!-- source:0700_PROXY.WASDOC -->
<hr class="page">
<a id="7." href="#"></a>
<a id="7.proxyservices" href="#"></a>
<a id="proxyservices" href="#"></a>
<h1 class="head"><span class="numb">7.</span><span class="text">Proxy Services</span></h1>

<div class="TOC2cols2">
<table class="TOC2table">
<tr><td><a href="#7.1.httpproxyserving"><span class="numb">7.1</span><span class="text">HTTP Proxy Serving</span></a>
<tr><td><a href="#7.1.1.enablingaproxyservice"><span class="numb">7.1.1</span><span class="text">Enabling A Proxy Service</span></a>
<tr><td><a href="#7.1.2.proxyaffinity"><span class="numb">7.1.2</span><span class="text">Proxy Affinity</span></a>
<tr><td><a href="#7.1.3.proxybind"><span class="numb">7.1.3</span><span class="text">Proxy Bind</span></a>
<tr><td><a href="#7.1.4.proxychaining"><span class="numb">7.1.4</span><span class="text">Proxy Chaining</span></a>
<tr><td><a href="#7.1.5.controllingproxyserving"><span class="numb">7.1.5</span><span class="text">Controlling Proxy Serving</span></a>
<tr><td><a href="#7.2.proxycache"><span class="numb">7.2</span><span class="text">Proxy Cache</span></a>
<tr><td><a href="#7.3.connectserving"><span class="numb">7.3</span><span class="text">CONNECT Serving</span></a>
<tr><td><a href="#7.3.1.enablingconnectserving"><span class="numb">7.3.1</span><span class="text">Enabling CONNECT Serving</span></a>
<tr><td><a href="#7.3.2.controllingconnectserving"><span class="numb">7.3.2</span><span class="text">Controlling CONNECT Serving</span></a>
<tr><td><a href="#7.4.socksversion5"><span class="numb">7.4</span><span class="text">SOCKS Version 5</span></a>
<tr><td><a href="#7.5.ftpproxyserving"><span class="numb">7.5</span><span class="text">FTP Proxy Serving</span></a>
<tr><td><a href="#7.5.1.ftpquerystringkeywords"><span class="numb">7.5.1</span><span class="text">FTP Query String Keywords</span></a>
<tr><td><a href="#7.5.2.quotloginquotkeyword"><span class="numb">7.5.2</span><span class="text">&quot;login&quot; Keyword</span></a>
<tr><td><a href="#7.6.gatewayingusingproxy"><span class="numb">7.6</span><span class="text">Gatewaying Using Proxy</span></a>
<tr><td><a href="#7.6.1.reverseproxy"><span class="numb">7.6.1</span><span class="text">Reverse Proxy</span></a>
<tr><td><a href="#7.6.2.proxyrework"><span class="numb">7.6.2</span><span class="text">Proxy Rework</span></a>
<tr><td><a href="#7.6.3.oneshotproxy"><span class="numb">7.6.3</span><span class="text">One-Shot Proxy</span></a>
<tr><td><a href="#7.6.4.dnswildcardproxy"><span class="numb">7.6.4</span><span class="text">DNS Wildcard Proxy</span></a>
<tr><td><a href="#7.6.5.originatingssl"><span class="numb">7.6.5</span><span class="text">Originating SSL</span></a>
<tr><td><a href="#7.7.tunnelingusingproxy"><span class="numb">7.7</span><span class="text">Tunneling Using Proxy</span></a>
<tr><td><a href="#7.7.1.serviceproxytunnelconnect"><span class="numb">7.7.1</span><span class="text">[ServiceProxyTunnel] CONNECT</span></a>
<tr><td><a href="#7.7.2.serviceproxytunnelraw"><span class="numb">7.7.2</span><span class="text">[ServiceProxyTunnel] RAW</span></a>
<tr><td><a href="#7.7.3.serviceproxytunnelfirewall"><span class="numb">7.7.3</span><span class="text">[ServiceProxyTunnel] FIREWALL</span></a>
<tr><td><a href="#7.7.4.encryptedtunnel"><span class="numb">7.7.4</span><span class="text">Encrypted Tunnel</span></a>
<tr><td><a href="#7.7.5.encryptedtunnelwithauthentication"><span class="numb">7.7.5</span><span class="text">Encrypted Tunnel With Authentication</span></a>
<tr><td><a href="#7.7.6.sharedsshtunnel"><span class="numb">7.7.6</span><span class="text">Shared SSH Tunnel</span></a>
<tr><td><a href="#7.7.7.complexprivatetunneling"><span class="numb">7.7.7</span><span class="text">Complex Private Tunneling</span></a>
<tr><td><a href="#7.7.8.tunnellingsource"><span class="numb">7.7.8</span><span class="text">Tunnelling Source</span></a>
<tr><td><a href="#7.8.browserproxyconfiguration"><span class="numb">7.8</span><span class="text">Browser Proxy Configuration</span></a>
<tr><td><a href="#7.8.1.manual"><span class="numb">7.8.1</span><span class="text">Manual</span></a>
<tr><td><a href="#7.8.2.automatic"><span class="numb">7.8.2</span><span class="text">Automatic</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#6.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#8.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> A proxy server acts as an intermediary between Web clients and Web servers.
It listens for requests from the clients and forwards these to remote servers.
The proxy server then receives the responses from the servers and returns them
to the clients.  Why go to this trouble?  There are several reasons, the most
common being:

<ul class="list">

<li class="item"> To allow internal clients access to the Internet from behind a firewall.
Browsers behind the firewall have full Web access via the proxy system.

<li class="item"> To provide controlled access to internal resources for external clients.
The proxy server provides a managed gateway through a firewall into an
organisation's Web resources.

<li class="item"> Many proxy servers provide caching, or local storage, of responses.  For
frequent or commonly accessed resources this can not only significantly reduce
apparent network latency but also greatly reduce the total traffic downloaded
by a site.

<li class="item"> For anonymity.  Although often related directly to firewall security
considerations, it can also sometimes be an advantage to just not reveal the
exact source of Web transactions from within your local network.

</ul>

<a id="7.0.0.0.1" href="#"></a>
<a id="7.proxyservingquickstart" href="#"></a>
<a id="proxyservingquickstart" href="#"></a>
<h5 class="head"><span class="text">Proxy Serving Quick-Start</span></h5>

<p> No additional software needs to be installed to provide proxy serving. 

<p> Proxy servering is essentially configured using a combination of
configuration directives in WASD_CONFIG_GLOBAL and WASD_CONFIG_SERVICE to
enable proxy serving both globally and then for allow a specific service to
make outgoing connections, along with mapping directives in WASD_CONFIG_MAP
to control and direct those outgoing connections. 

<p> The following steps provide a brief outline of proxy configuration.

<ol class="list">

<li class="item"> Enable proxy serving and specify which particular services
are to be proxies (<a class="link" href="#7.1.1.enablingaproxyservice">7.1.1 Enabling A Proxy Service</a> and
<a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)

<li class="item"> If providing SSL tunneling (proxy of Secure Sockets Layer transactions)
add/modify a service for that (<a class="link" href="#7.3.connectserving">7.3 CONNECT Serving</a>).

<li class="item"> Add WASD_CONFIG_MAP mapping rules for controlling this/these services
(<a class="link" href="#7.1.5.controllingproxyserving">7.1.5 Controlling Proxy Serving</a>, <a class="link" href="#7.3.2.controllingconnectserving">7.3.2 Controlling CONNECT Serving</a>, and
<a class="link" href="#7.5.ftpproxyserving">7.5 FTP Proxy Serving</a>).

<li class="item"> Restart server (HTTPD/DO=RESTART).

</ol>

<a id="7.0.0.0.1.1" href="#"></a>
<a id="7.proxyerrormessages" href="#"></a>
<a id="proxyerrormessages" href="#"></a>
<h6 class="head display0"><span class="text">Proxy Error Messages</span></h6>
<a id="7.0.0.0.2" href="#"></a>
<a id="7.errormessages" href="#"></a>
<a id="errormessages" href="#"></a>
<h5 class="head"><span class="text">Error Messages</span></h5>

<p> When proxy processing is enabled and WASD_CONFIG_GLOBAL directive
[ReportBasicOnly] is disabled it is necessary to make adjustments to the 
contents of the WASD_CONFIG_MSG message configuration file [status] item
beginning &quot;Additional Information&quot;.  Each of the &quot;/httpd/-/status<span class="high italic">nxx</span>.html&quot;
links

<div class="blockof code">&lt;a href=&quot;/httpd/-/status1xx.html&quot;&gt;1&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;/httpd/-/status2xx.html&quot;&gt;2&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;/httpd/-/status3xx.html&quot;&gt;3&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;/httpd/-/status4xx.html&quot;&gt;4&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;/httpd/-/status5xx.html&quot;&gt;5&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;/httpd/-/statushelp.html&quot;&gt;help&lt;/a&gt;
</div>

should be changed to include a local host component

<div class="blockof code">&lt;a href=&quot;http://local.host.name/httpd/-/status1xx.html&quot;&gt;1&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;http://local.host.name/httpd/-/status2xx.html&quot;&gt;2&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;http://local.host.name/httpd/-/status3xx.html&quot;&gt;3&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;http://local.host.name/httpd/-/status4xx.html&quot;&gt;4&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;http://local.host.name/httpd/-/status5xx.html&quot;&gt;5&lt;i&gt;xx&lt;/i&gt;&lt;/a&gt;
&lt;a href=&quot;http://local.host.name/httpd/-/statushelp.html&quot;&gt;help&lt;/a&gt;
</div>

<p> If this is not provided the links and any error report will be interpreted
by the browser as relative to the server the proxy was attempting to request
from and the error explanation will not be accessible.

<a id="7.1" href="#"></a>
<a id="7.1.httpproxyserving" href="#"></a>
<a id="httpproxyserving" href="#"></a>
<h2 class="head"><span class="numb">7.1</span><span class="text">HTTP Proxy Serving</span></h2>

<p> WASD provides a proxy service for the HTTP scheme (prototcol).

<p> Proxy serving generally relies on DNS resolution of the requested host name. 
DNS lookup can introduce significant latency to transactions.  To help
ameliorate this WASD incorporates a host name cache.  To ensure cache
consistency the contents are regularly flushed, after which host names must use
DNS lookup again, refreshing the information in the cache.  The period of this
cache purge is contolled with the [ProxyHostCachePurgeHours] configuration
parameter.

<p> When a request is made by a proxy server is is common for it to add a line
to the request header stating that it is a forwarded request and the agent
doing the forwarding.  With WASD proxying this line would look something like
this:

<div class="blockof code">Forwarded: by http://host.name.domain (HTTPd-WASD/8.4.0 OpenVMS/IA64 SSL)
</div>

It is enabled using the [ProxyForwarded] configuration parameter.

<p> An additional, and perhaps more widely used facility, is the Squid extension
field to the proxied request header supplying the originating client host name
or IP address.

<div class="blockof code">X-Forwarded-For: client.host.name
</div>

It is enabled using the [ProxyXForwardedFor] configuration parameter.

<a id="7.1.1" href="#"></a>
<a id="7.1.1.enablingaproxyservice" href="#"></a>
<a id="enablingaproxyservice" href="#"></a>
<h3 class="head"><span class="numb">7.1.1</span><span class="text">Enabling A Proxy Service</span></h3>

<p> Proxy serving is enabled on a global basis using the WASD_CONFIG_GLOBAL file
[ProxyServing] configuration parameter.  After that each virtual service must
have proxy functionality enabled as a per-service configuration.

<p> WASD can configure services using the WASD_CONFIG_GLOBAL [service]
directive, the WASD_CONFIG_SERVICE configuration file, or even the /SERVICE=
qualifier. 

<a id="7.1.1.0.1" href="#"></a>
<a id="7.1.1.wasdconfigservice" href="#"></a>
<a id="wasdconfigservice" href="#"></a>
<h5 class="head"><span class="text">WASD_CONFIG_SERVICE</span></h5>

<p> Using directives listed in
<a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
this example illustrates configuring a non-proxy server (the
<span class="high italic">disabled</span> is the default and essentially redudant) and a proxy
service.

<div class="blockof code">[[http://alpha.example.com:80]]
[ServiceProxy]  disabled

[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
</div>

<a id="7.1.2" href="#"></a>
<a id="7.1.2.proxyaffinity" href="#"></a>
<a id="proxyaffinity" href="#"></a>
<h3 class="head"><span class="numb">7.1.2</span><span class="text">Proxy Affinity</span></h3>

<p> High performance/highly available proxy server configurations require more
than one instance configured and running.  Whether this is done by running
multiple instances on the same host or one instance on multiple hosts, it leads
to situations where successive requests will be processed by different
instances. As those instances don't share a common name to IP address cache,
they will eventually use different IP addresses when trying to connect to an
origin server running on multiple hosts.

<p> This may result in the following, user visible, issues:

<ul class="list">

<li class="item"> multiple requests for authentication (one from each origin host)

<li class="item"> loss of icons, images, javascripts, CSS because requests for these files,
although they return a 401 status, will not trigger a browser authentication
dialog

<li class="item"> loss of context and performance issues where scripts/environments need to
be started on a new host (php, python, webware,...)

</ul>

<p> For these reasons, the proxy server will make every effort to relay
successive requests from a given client to the same origin host as long as this
one is available (built-in failover capability will ultimately trigger the
choice of a new host). This is known as client to origin affinity or proxy
affinity capability.

<p> Proxy to origin server affinity is enabled using the following service
configuration directive.

<div class="blockof code">[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
[ServiceProxyAffinity]  enabled
</div>

<a id="7.1.2.0.1" href="#"></a>
<a id="7.1.2.useshttpcookies" href="#"></a>
<a id="useshttpcookies" href="#"></a>
<h5 class="head"><span class="text">Uses HTTP Cookies</span></h5>

<p> Obviously the use of cookies must be enabled in the browser or this facility
will not operate for that client. After the first successful connection to an
origin host, the proxy server will send a cookie indicating the IP address used
to the client browser. Upon subsequent requests, this cookie will be used to
select the same host. The cookie is named
<span class="high italic">WasdProxyAffinity_origin.host.name</span> and the value simply the IP address in
dotted decimal.  This cookie is not propagated beyond the proxy service but may
be WATCHed by checking the <span class="high italic">Proxy Processing</span> item.

<a id="7.1.3" href="#"></a>
<a id="7.1.3.proxybind" href="#"></a>
<a id="proxybind" href="#"></a>
<h3 class="head"><span class="numb">7.1.3</span><span class="text">Proxy Bind</span></h3>

<p> It is possible to make the outgoing request appear to originate from a
particular source address.  The Network Interface must be able to bind to the
specified IP address (i.e. it cannot be an arbitrary address).

<div class="blockof code">[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
[ServiceProxyBind]  131.185.250.1
</div>

<p> The same behaviour may be accomplished with an WASD_CONFIG_MAP mapping rule.

<div class="blockof code">SET http://*.example.com proxy=bind=131.185.250.1
</div>

<a id="7.1.4" href="#"></a>
<a id="7.1.4.proxychaining" href="#"></a>
<a id="proxychaining" href="#"></a>
<h3 class="head"><span class="numb">7.1.4</span><span class="text">Proxy Chaining</span></h3>

<p> Some sites may already be firewalled and have corporate proxy servers
providing Internet access.  It is quite possible to use WASD proxying in this
environment, where the WASD server makes the proxied requests via the next
proxy server in the hierarchy.  This is known as <span class="high italic">proxy chaining</span>. 

<div class="blockof code">[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
[ServiceProxyChain]  next.proxy.host
</div>

<p> Chaining may also be controlled on a virtual service or path basis using an
WASD_CONFIG_MAP mapping rule.

<div class="blockof code">SET http://*.com proxy=chain=next.proxy.host:8080
</div>

<a id="7.1.4.0.1" href="#"></a>
<a id="7.1.4.chainauthorization" href="#"></a>
<a id="chainauthorization" href="#"></a>
<h5 class="head"><span class="text">Chain Authorization</span></h5>

<p> If the upstream proxy server requires authorization this may be supplied
using a per-service directive

<div class="blockof code">[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
[ServiceProxyChain]  next.proxy.host
[ServiceProxyChainCred]  basic:<span class="high left italic">username&gt;:&lt;password&gt;</span>
</div>

or via mapping rule

<div class="blockof code">SET http://*.com proxy=chain=next.proxy.host:8080 \
                 proxy=chain=cred=<span class="high italic">basic:&lt;username&gt;:&lt;password&gt;</span>
</div>

<p> The <span class="high italic">basic:</span> keyword allows WASD to appropriately encode the credentials. 
Basic authentication is the only scheme currently supported.

<a id="7.1.5" href="#"></a>
<a id="7.1.5.controllingproxyserving" href="#"></a>
<a id="controllingproxyserving" href="#"></a>
<h3 class="head"><span class="numb">7.1.5</span><span class="text">Controlling Proxy Serving</span></h3>

<p> Requests at a service enabled for proxy processing are directed to proxy
processing using a fundamental rule which terminates rule processing and
initiates the outgoing connection.

<div class="blockof code">pass * http://
</div>

This rule and variant equivalents for FTP and CONNECT processing, and
in combination with other rules to purpose, are seen in the examples in this
section on proxy.

<p> Controlling both access-to and access-via proxy serving is possible.

<a id="7.1.5.0.1" href="#"></a>
<a id="7.1.5.proxypassword" href="#"></a>
<a id="proxypassword" href="#"></a>
<h5 class="head"><span class="text">Proxy Password</span></h5>

<p> Access to the proxy service can be directly controlled through the use of
WASD authorization.  Proxy authorization is distinct from general access
authorization.  It uses specific <span class="high italic">proxy authorization</span> fields provided by
HTTP, and by this allows a proxied transaction to also supply transaction
authorization for the remote server.  In the WASD_CONFIG_SERVICE configuration
file.

<div class="blockof code">[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
[ServiceProxyAuth]  proxy
</div>

<p> In addition to the service being specified as requiring authorization it is
also necessary to configure the source of the authentication.  This is done
using the WASD_CONFIG_AUTH configuration file.  The following example shows all
requests for the proxy virtual service must be authorized (GET and well as
POST, etc.), although it is possible to restrict access to only read (GET),
preventing data being sent out via the server.

<div class="blockof code">[[alpha.example.com:8080]]
[&quot;Proxy Access&quot;=PROXY_ACCESS=id]
http://* read+write
</div>

<a id="7.1.5.0.2" href="#"></a>
<a id="7.1.5.chainpassword" href="#"></a>
<a id="chainpassword" href="#"></a>
<h5 class="head"><span class="text">Chain Password</span></h5>

<p> An up-stream, chained proxy server (<a class="link" href="#7.1.4.proxychaining">7.1.4 Proxy Chaining</a>) may be permitted
to receive proxy authentication from the client via a WASD proxy server using
the <span class="high monosp">CHAIN</span> keyword.  Unconfigured, WASD does not propagate HTTP <span class="high italic">proxy
authorization</span> fields.  Only one proxy server in a chain can be authenticated
against.

<div class="blockof code">[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
[ServiceProxyAuth]  chain
</div>

<a id="7.1.5.0.3" href="#"></a>
<a id="7.1.5.localpassword" href="#"></a>
<a id="localpassword" href="#"></a>
<h5 class="head"><span class="text">Local Password</span></h5>

<p> It is also possible to control proxy access via local authorization,
although this is less flexible by removing the ability to then pass
authorization information to the remote service.  In other repects it is set up
in the same way as proxy authorization, but enabled using the <span class="high monosp">LOCAL</span> keyword.

<div class="blockof code">[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
[ServiceProxyAuth]  local
</div>

<a id="7.1.5.0.4" href="#"></a>
<a id="7.1.5.accessfiltering" href="#"></a>
<a id="accessfiltering" href="#"></a>
<h5 class="head"><span class="text">Access Filtering</span></h5>

<p> Extensive control of how, by whom and what a proxy service is used for may
be exercised using WASD general and conditional mapping
<a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
and
<a class="link blank" target="_blank" href="../config/#conditionalmapping">Conditional Mapping</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
possibly in the context of a virtual service specification for the particular
connect service host and port (see 
<a class="link blank" target="_blank" href="../config/#virtualservers">Virtual Servers</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
The following examples provide a small indication of how mapping could be used
in a proxy service context.

<ol class="list">

<li class="item"> It is possible, though more often not practical, to regulate which hosts
are connected to via the proxy service.  For example, the following rule
forbids accessing any site with the string &quot;hacker&quot; in it (for the proxy
service &quot;alpha&hellip;:8080&quot;.
<div class="blockof code">[[alpha.example.com:8080]]
pass http://*hacker*/* &quot;403 Proxy access to this host is forbidden.&quot;
pass http://*
</div>

<li class="item"> Or as in the following example, only allow access to specific sites.
<div class="blockof code">[[alpha.example.com:8080]]
pass http://*.org/*
pass http://*.digital.com/*
pass http://* &quot;403 Proxy access to this host is forbidden.&quot;
</div>

<li class="item"> It is also possible to restrict access via the proxy service to selected
hosts on the internal subnet.  Here only a range of literal addresses plus a
single host in another subnet are allowed access to the service.
<div class="blockof code">[[alpha.example.com:8080]]
pass http://* &quot;403 Restricted access.&quot; ![ho:131.185.250.* ho:131.185.200.10]
pass http://*
</div>

<li class="item"> In the following example POSTing to a particular proxied servers is not
allowed (why I can't imagine, but hey, this is an example!)
<div class="blockof code">[[alpha.example.com:8080]]
pass http://subscribe.sexy.com/* &quot;403 POSTing not allowed.&quot; [me:POST]
pass http://*
</div>

<li class="item"> It is possible to redirect proxied requests to other sites.
<div class="blockof code">[[alpha.example.com:8080]]
redirect http://www.sexy.com/* http://www.disney.com/
pass http://*
</div>

<li class="item"> A proxy service is just a specialized capability of a general HTTP
service.  Therefore it is quite in order for the one service to respond to
standard HTTP requests as well as proxy-format HTTP requests.  To enforce the
use of a particular service as proxy-only, add a final rule to a virtual
service's mapping restricting non-proxy requests.
<div class="blockof code">[[alpha.example.com:8080]]
pass http://*
pass /* &quot;403 This is a proxy-only service.&quot;
</div>

<li class="item"> This example provides the essentials when supporting <span class="high italic">reverse
proxying</span>.  Note that mappings may become quite complex when supporting access
to resources across multiple internal systems (e.g. access to directory icons).
<div class="blockof code">[[main.corporate.server.com:80]]
pass /sales/* http://sales.corporate.server.com/*
pass /shipping/* http://shipping.corporate.server.com/*
pass /support/* http://support.corporate.server.com/*
pass * &quot;403 Nothing to access here!&quot;
</div>

</ol>

<div class="note"><a id="7.1.5.0.4.1" href="#"></a>
<a id="7.1.5.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

To expedite proxy mapping is it recommended to have a final rule for the proxy
virtual service that explicitly <span class="high italic">pass</span>es the request.  This would most
commonly be a permissive pass as in example 1, could quite easily be an
restrictive pass as in example 2, or a combination as in example 6.
<hr class="note_hr">
</div>

<a id="7.1.5.0.5" href="#"></a>
<a id="7.1.5.requestmodification" href="#"></a>
<a id="requestmodification" href="#"></a>
<h5 class="head"><span class="text">Request Modification</span></h5>

<p> Using path mapping rules (see
<a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
it is possible to remove or specifically set selected proxied request headers. 
Many headers are critical to server processing but some are informational or
otherwise amenable to change.  This can be undertaken using the SET mapping
rule <span class="high italic">proxy=header=&lt;parameter&gt;</span>.

<p> For example, to have a proxy service suppress the &quot;Referer:&quot; request header:

<div class="blockof code"># WASD_CONFIG_MAP
set * proxy=header=referer
</div>

<p> To modify the &quot;Referer:&quot; request header to a fixed URL:

<div class="blockof code">set * proxy=header=referer=https://whatever/
</div>

<p> To modify the &quot;User-Agent:&quot; request header to a specific string:

<div class="blockof code">set * &quot;proxy=header=user-agent=None of your business!&quot;
</div>

<a id="7.2" href="#"></a>
<a id="7.2.proxycache" href="#"></a>
<a id="proxycache" href="#"></a>
<h2 class="head"><span class="numb">7.2</span><span class="text">Proxy Cache</span></h2>
<a id="7.2.0.0.0.1" href="#"></a>
<a id="7.2.proxycacheisobsolete" href="#"></a>
<a id="proxycacheisobsolete" href="#"></a>
<h6 class="head display0"><span class="text">Proxy Cache is OBSOLETE</span></h6>

<p> Caching involves using the local file-system for storage of responses that
can be reused when a request for the same URL is made. 

<div class="note">
<a id="7.2.0.0.1" href="#"></a>
<a id="7.2.asofwasdv120cachingisobsolete" href="#"></a>
<a id="asofwasdv120cachingisobsolete" href="#"></a>
<h5 class="head center"><span class="text">As of WASD v12.0 Caching is OBSOLETE</span></h5>
<hr class="note_hr">
<p> With the overwhelming Internet move to encrypted everything, the usefulness
of a proxy server local cache for cleartext responses is marginal at best.
Related configuration directives are reported obsolete and ignored.
<hr class="note_hr">
</div>

<a id="7.3" href="#"></a>
<a id="7.3.connectserving" href="#"></a>
<a id="connectserving" href="#"></a>
<h2 class="head"><span class="numb">7.3</span><span class="text">CONNECT Serving</span></h2>

<p> The <span class="high italic">connect</span> service provides firewall proxying for any
connection-oriented TCP/IP access.  Essentially it provides the ability to
tunnel any other protocol via a Web proxy server.  In the context of Web
services it is most commonly used to provide firewall-transparent access for
Secure Sockets Layer (SSL) transactions.  It is a special case of the more
general tunneling provided by WASD, see <a class="link" href="#7.7.tunnelingusingproxy">7.7 Tunneling Using Proxy</a>.

<a id="7.3.1" href="#"></a>
<a id="7.3.1.enablingconnectserving" href="#"></a>
<a id="enablingconnectserving" href="#"></a>
<h3 class="head"><span class="numb">7.3.1</span><span class="text">Enabling CONNECT Serving</span></h3>

<p> As with proxy serving in general, CONNECT serving may enabled on a
per-service basis using the WASD_CONFIG_GLOBAL [service] directive, the WASD_CONFIG_SERVICE
configuration file, or even the /SERVICE= qualifier. 

<p> The actual services providing the CONNECT access (i.e. the host and port)
are specified on a per-service basis.  This means it is possible to have
CONNECT and non-CONNECT services deployed on the one server, as part of a
general proxy service or standalone.  CONNECT proxying is enabled by appending
the <span class="high italic">connect</span> keyword to the particular service specification.  The following
example shows a non-proxy and proxy services, with and without additional
connect processing enabled.

<div class="blockof code">[[http://alpha.example.com:80]]

[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled

[[http://alpha.example.com:8081]]
[ServiceProxyTunnel]  connect

[[http://alpha.example.com:8082]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  connect
</div>

<a id="7.3.2" href="#"></a>
<a id="7.3.2.controllingconnectserving" href="#"></a>
<a id="controllingconnectserving" href="#"></a>
<h3 class="head"><span class="numb">7.3.2</span><span class="text">Controlling CONNECT Serving</span></h3>

<p> The connect service poses a significant security dilemma when in use in a
firewalled environment.  Once a CONNECT service connection has been accepted
and established it essentially acts as a relay to whatever data is passed
through it.  Therefore <span class="high bold">any transaction whatsoever</span> can occur via the connect
service, which in many environments may be considered undesirable.

<p> In the context of the Web and the use of the connect service for proxying
SSL transactions it may be well considered to restrict possible connections to
the well-known SSL port, 443.  This may be done using conditional directives,
as in the following example:

<div class="blockof code">[[alpha.example.com:8080]]
if (request-method:CONNECT)
   pass *:443
   pass * &quot;403 CONNECT only allowed to port 443.&quot;
endif
</div>

All of the comments on the use of general and conditional mapping made in
<a class="link" href="#7.1.5.controllingproxyserving">7.1.5 Controlling Proxy Serving</a> can also be applied to the connect service.

<a id="7.4" href="#"></a>
<a id="7.4.socksversion5" href="#"></a>
<a id="socksversion5" href="#"></a>
<h2 class="head"><span class="numb">7.4</span><span class="text">SOCKS Version 5</span></h2>

<p> SOCKS is an Internet protocol that exchanges network packets between a
client and server through a proxy server.  SOCKS5 optionally provides
authentication so only authorized users may access a server. Practically, a
SOCKS server proxies TCP connections to an arbitrary IP address.

<p> WASD SOCKS5 supports only CONNECT TCP/IP and not BIND or UDP-associate.

<a id="7.4.0.0.1" href="#"></a>
<a id="7.4.enablingsocks5proxy" href="#"></a>
<a id="enablingsocks5proxy" href="#"></a>
<h5 class="head"><span class="text">Enabling SOCKS5 Proxy</span></h5>

<p> A SOCK5 proxy connection must be mapped using the socks5:// pseudo scheme. 
The following rule allows connection to any host name or address.

<div class="blockof code">[[alpha.example.com:8080]]
pass socks5://*
</div>

To selectively allow SOCKS5 access then map to a specific host name or address,
and optional port.

<div class="blockof code">[[alpha.example.com:8080]]
pass socks5://the.host.name
pass socks5://134.142.71.8
pass socks5://137.146.74.10:22
</div>

<a id="7.5" href="#"></a>
<a id="7.5.ftpproxyserving" href="#"></a>
<a id="ftpproxyserving" href="#"></a>
<h2 class="head"><span class="numb">7.5</span><span class="text">FTP Proxy Serving</span></h2>

<p> WASD provides a proxy service for the FTP scheme (prototcol).  This
provides the facility to list directories on the remote FTP server, download
and upload files.

<p> The (probable) file system of the FTP server host is determined by examining
the results of an FTP PWD command.  If it returns a current working directory
specification containing a &quot;/&quot; then it assumes it to be Unix(-like), if &quot;:[&quot;
then VMS, if a &quot;\&quot; then DOS.  (Some DOS-based FTP servers respond with a
Unix-like &quot;/&quot; so a second level of file-system determination is undertaken with
the first entry of the actual listing.)  Anything else is unknown and reported
as such.  WASD (for the obvious reason) is particularly careful to perform well
with FTP servers responding with VMS file specifications.

<p> Note that the content-type of the transfer is determined by the way the
proxy server interprets the FTP request path's &quot;file&quot; extension.  This may or
may not correspond with what the remote system might consider the file type to
be.  The default content-type for unknown file types is
&quot;application/octet-stream&quot; (binary).  When using the <span class="high italic">alt</span> query string
parameters then for any file in a listing the icon provides an alternate
content-type.  If the file link provides a text document then the icon will
provide a binary file.  If the link returns a binary file then the icon will
return a file with a plain-text content-type.

<p> In addition to content-type the FTP mode in which the file transfer occurs
can be determined by either of two conditions.  It the content-type is
&quot;text/..&quot; then the transfer mode will be ASCII (i.e. record carriage-control
adjusted between systems).  If not text then the file is transfered in  Image
mode (i.e. a binary, opaque octet-stream).  For any given content-type this
default behaviour may be adjusted using the [AddType] directive (see
<a class="link blank" target="_blank" href="../config/#alphabeticlisting">Alphabetic Listing</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
or the &quot;#!+&quot; MIME.TYPES directive (see
<a class="link blank" target="_blank" href="../config/#mimetypes">MIME.TYPES</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<p> Rules required in WASD_CONFIG_MAP for mapping FTP proxy.  This is preferably
made against the virtual service providing the FTP proxy.  The service
explicitly must make the icon path used available or it must be available to
the proxy service in some other part of the mappings.  Also the general
requirement for error message URLs applies to FTP proxying
(<a class="link" href="#7.proxyerrormessages">&lsquo;Proxy Error Messages&rsquo; in 7. Proxy Services</a>).

<div class="blockof code">[[proxy.host.name:8080]
pass http://* http://* 
pass ftp://* ftp://* 
pass /*/-/* /wasd_root/runtime/*/*
</div>

<a id="7.5.1" href="#"></a>
<a id="7.5.1.ftpquerystringkeywords" href="#"></a>
<a id="ftpquerystringkeywords" href="#"></a>
<h3 class="head"><span class="numb">7.5.1</span><span class="text">FTP Query String Keywords</span></h3>

<p> Keywords added to an FTP request query string allow the basic FTP action to
be somewhat tailored.  These case-insensitive keywords can be in the form of a
query keys or query form fields and values.  This allows considerable
flexibility in how they are supplied, allowing easy use from a browser URL
field or for inclusion as form fields.

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Keyword
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">alt
<td class="tabd">Adds alternate access (complementary content-type
at the icon) for directory listings.
<tr class="tabr">
<td class="tabd">ascii
<td class="tabd">Force the file transfer type to be done as ASCII
(i.e. with carriage-control conversion between systems with different
representations).
<tr class="tabr backlight">
<td class="tabd">content
<td class="tabd">Explicitly specify the content type for the
returned file (e.g. &quot;content:text/plain&quot;, or
&quot;content=image/gif&quot;).
<tr class="tabr">
<td class="tabd">dos
<td class="tabd">When generating a directory listing force the
interpretation to be DOS.
<tr class="tabr backlight">
<td class="tabd">email
<td class="tabd">Explicitly specify the <span class="high italic">anonymous</span>
access email address (e.g. &quot;email:daniel@wasd.vsm.com.au&quot; or
&quot;email=daniel@wasd.vsm.com.au&quot;).
<tr class="tabr">
<td class="tabd">image
<td class="tabd">Force the file transfer type to be done as an
opaque binary stream of octets.
<tr class="tabr backlight">
<td class="tabd">list
<td class="tabd">Displays the actual directory plain-text listing
returned by the remote FTP server.  Can be used for problem analysis.
<tr class="tabr">
<td class="tabd">login
<td class="tabd">Results in the server prompting for a username
and password pair that are then used as the login credentials on the remote FTP
server.
<tr class="tabr backlight">
<td class="tabd">octet
<td class="tabd">Force the content-type of the file returned to be
specified as &quot;application/octet-stream&quot;.
<tr class="tabr">
<td class="tabd">text
<td class="tabd">Force the content-type of the file returned to be
specified as &quot;text/plain&quot;.
<tr class="tabr backlight">
<td class="tabd">unix
<td class="tabd">When generating a directory listing force the
interpretation to be Unix.
<tr class="tabr">
<td class="tabd">upload
<td class="tabd">Causes the server to return a simple file
transfer form allowing the upload of a file from the local system to the remote
FTP server.
<tr class="tabr backlight">
<td class="tabd">vms
<td class="tabd">When generating a directory listing force the
interpretation to be VMS.
</table>

<a id="7.5.2" href="#"></a>
<a id="7.5.2.quotloginquotkeyword" href="#"></a>
<a id="quotloginquotkeyword" href="#"></a>
<h3 class="head"><span class="numb">7.5.2</span><span class="text">&quot;login&quot; Keyword</span></h3>

<p> The usual mechanism for supplying the username and password for access to a
non-anonymous proxied FTP server area is to place it as part of the request
line (i.e. &quot;ftp://username:password@the.host.name/path/&quot;).  This has the
obvious disadvantage that it's there for all and sundry to see.

<p> The &quot;login&quot; query string is provided to work around the more obvious
of these issues, having the authentication credentials as part of the request
URL.  When this string is placed in the request query string the FTP proxy
requests the browser to prompt for authentication (i.e. returns a 401 status). 
When request header authentication data is present it uses this as the remote
FTP server username and password.  Hence the remote username and password never
need to appear in plain-text on screen or in server logs.

<a id="7.6" href="#"></a>
<a id="7.6.gatewayingusingproxy" href="#"></a>
<a id="gatewayingusingproxy" href="#"></a>
<h2 class="head"><span class="numb">7.6</span><span class="text">Gatewaying Using Proxy</span></h2>

<p> WASD is fully capable of mapping non-proxy into proxy requests, with
various limitations on effectiveness considering the nature of what is being
performed.

<p> Gatewaying between request schemes (protocols)

<ul class="list simple list0">
<li class="item"> HTTP to HTTP (a gateway <span class="high italic">of sorts</span> - standard proxy)
<li class="item"> HTTP TO HTTP-over-SSL (non-secure to secure)
<li class="item"> HTTP to FTP
<li class="item"> HTTP-over-SSL to HTTP (secure to non-secure)
<li class="item"> HTTP-over-SSL to HTTP-over-SSL (secure to secure)
<li class="item"> HTTP-over-SSL to FTP
</ul>

<p> and also gatewaying between IP versions

<ul class="list simple list0">
<li class="item"> IPv4 to IPv6
<li class="item"> IPv6 to IPv4
</ul>

<p> All can be useful for various reasons.  One example might be where a script
is required to obtain a resource from a secure server via SSL.  The script can
either be made SSL-aware, sometimes a not insignificant undertaking, or it can
use standard HTTP to the proxy and have that access the required server via
SSL.  Another example might be accessing an internal HTTP resource from an
external browser securely, with SSL being used from the browser to the proxy
server, which the accesses the internal HTTP resource on its behalf.

<a id="7.6.0.0.1" href="#"></a>
<a id="7.6.requestredirect" href="#"></a>
<a id="requestredirect" href="#"></a>
<h5 class="head"><span class="text">Request Redirect</span></h5>

<p> The basic mechanism allowing this gatewaying is &quot;internal&quot;
redirection.  The <span class="high italic">redirect</span> mapping rule (see 
<a class="link blank" target="_blank" href="../config/#redirectrule">REDIRECT Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
either returns the new URL to the originating client (requiring it to
reinitiate the request) or begins reprocessing the request internally
(transparently to the client).  It is this latter function that is obviously
used for gatewaying.

<a id="7.6.1" href="#"></a>
<a id="7.6.1.reverseproxy" href="#"></a>
<a id="reverseproxy" href="#"></a>
<h3 class="head"><span class="numb">7.6.1</span><span class="text">Reverse Proxy</span></h3>

<p> The use of WASD proxy serving as a firewall component assumes two configured
network interfaces on the system, one of which is connected to the internal
network, the other to the external network.  (Firewalling could also be
accomplished using a single network interface with router blocking external
access to all but the server system.)  Outgoing (internal to external) proxying
is the most common configuration, however a proxy server can also be used to
provide controlled external access to selected internal resources.  This is
sometimes known as <span class="high italic">reverse proxy</span> and is a specific example of WASD's
general <span class="high italic">non-proxy to proxy</span> request redirection capability
(<a class="link" href="#7.6.gatewayingusingproxy">7.6 Gatewaying Using Proxy</a>).

<p> In this configuration the proxy server is contacted by an external browser
with a standard HTTP request.  Proxy server rules map this request onto a
proxy-request format result.  For example:

<div class="blockof code">redirect /sales/* /http://sales.server.com/*?
</div>

<p> Note that the trailing question-mark is required to propagate any query
string (see
<a class="link blank" target="_blank" href="../config/#redirectrule">REDIRECT Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<p> The server recognises the result format and performs a proxy request to a
system on the internal network.  Note that the mappings required could become
quite complex, but it is possible.  See example 7 in
<a class="link" href="#7.1.5.controllingproxyserving">7.1.5 Controlling Proxy Serving</a>.

<a id="7.6.1.0.1" href="#"></a>
<a id="7.6.1.redirectionlocationfield" href="#"></a>
<a id="redirectionlocationfield" href="#"></a>
<h5 class="head"><span class="text">Redirection Location Field</span></h5>
<p> If a reverse proxied server returns a redirection response (302) containing
a &quot;Location: <span class="high italic">url</span>&quot; field with the host component the same reverse-proxied-to
server it can be rewritten to instead contain the proxy server host.  If these
do not match the rewrite does not occur.  Using the  redirection example above,
the SET mapping rule <span class="high italic">proxy=reverse=location</span> specifies the path that will be
prefixed to the path component in the location field URL.  Usually this would
be the same path used to map the reverse proxy redirect (in this example
&quot;/sales/&quot;), though could be any string (presumably detected and processed by
some other part of the mapping).

<div class="blockof code">set /sales/* proxy=reverse=location=/sales/
redirect /sales/* /http://sales.server.com/*?
</div>

This could be simplified a little by using a postfix SET rule along with the
original redirect.

<div class="blockof code">redirect /sales/* /http://sales.server.com/*? proxy=reverse=location=/sales/
</div>

<p> If the <span class="high italic">proxy=reverse=location=&lt;string&gt;</span> ends in an asterisk the entire 302
location field URL is appended (rather than just the path) resulting in
something along the lines of

<div class="blockof code">Location: http://proxy.server.com/sales/http://sales.server.com/path/
</div>

which once redirected by the client can be subsequently tested for and some
action made by the proxy server according to the content (just a bell or
whistle ;-).

<a id="7.6.1.0.2" href="#"></a>
<a id="7.6.1.authorizationverification" href="#"></a>
<a id="authorizationverification" href="#"></a>
<h5 class="head"><span class="text">Authorization Verification</span></h5>

<p> WASD can authorize reverse proxy requests locally (perhaps from the SYSUAF)
and rewrite that username into the proxied requests &quot;Authorization: &hellip;&quot;
field.  The proxied-to server can then verify that the request originated from
the proxy server and extract and use that username as authenticated.

<p> This functionality is described in the
<a class="link blank" target="_blank" href="/wasd_root/src/httpd/proxyverify.c">WASD_ROOT:[SRC.HTTPD]PROXYVERIFY.C</a>
module.

<a id="7.6.2" href="#"></a>
<a id="7.6.2.proxyrework" href="#"></a>
<a id="proxyrework" href="#"></a>
<h3 class="head"><span class="numb">7.6.2</span><span class="text">Proxy Rework</span></h3>

<p> The proxy rework facility will modify a target string to a replacement
string in the request header (e.g. Host:), the response header (e.g.
set-cookie:), and in the response body.  Rework will be applied to HTML and CSS
responses.

<p> These are simple string matches.

<p> Proxy rework must be enabled for a service by setting a maximum size for the
HTML response body to be reworked, in kB.

<div class="blockof code"># WASD_CONFIG_SERVICE
[[*.1924]]
[ServiceReworkMax]  128
</div>

Specific paths must then be SET in WASD_CONFIG_MAP to have proxy requests
reworked.

<div class="blockof code"># WASD_CONFIG_MAP
[[*:1924]]
set * proxy=rework=192.168.1.3=192.168.1.2
</div>

<div class="note center"><a id="7.6.2.0.0.1" href="#"></a>
<a id="7.6.2.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

<span class="high bold">Proxy rework likely needs a lot more work!</span> 
<hr class="note_hr">
</div>


<p> Also consider the <a class="link" href="#7.6.2.proxymungeutility">&lsquo;proxyMUNGE Utility&rsquo; in 7.6.2 Proxy Rework</a> below.

<a id="7.6.2.0.1" href="#"></a>
<a id="7.6.2.proxymungeutility" href="#"></a>
<a id="proxymungeutility" href="#"></a>
<h5 class="head"><span class="text">proxyMUNGE Utility</span></h5>

<p> This utility (CGIplus script) can be used to rewrite HTTP response
&quot;Location:&quot; fields, &quot;Set-Cookie:&quot; path and domain components and URLs in HTML
and CSS content.

<p> This functionality is described in the prologue to the code
<a class="link blank" target="_blank" href="/wasd_root/src/utils/proxymunge.c">WASD_ROOT:[SRC.UTILS]PROXYMUNGE.C</a>

<div class="note"><a id="7.6.2.0.1.1" href="#"></a>
<a id="7.6.2.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

The proxyMUNGE Utility handles all response rewriting and so when employing it
to perform reverse-proxy processing it is unnecessary to use the
<span class="high italic">proxy=reverse=location=&lt;string&gt;</span> mapping rule described
in <a class="link" href="#7.6.1.redirectionlocationfield">&lsquo;Redirection Location Field&rsquo; in 7.6.1 Reverse Proxy</a>.
<hr class="note_hr">
</div>

<a id="7.6.3" href="#"></a>
<a id="7.6.3.oneshotproxy" href="#"></a>
<a id="oneshotproxy" href="#"></a>
<h3 class="head"><span class="numb">7.6.3</span><span class="text">One-Shot Proxy</span></h3>

<p> This looks a little like reverse proxy, providing access to a non-local
resource via a standard (non-proxy) request.  The difference allows the client
to determine which remote resource is accessed.  This works quite effectively
for non-HTML resources (e.g. image, binary files, etc.) but
non-self-referential links in HTML documents will generally be inaccessible to
the client.  This can provide provide scripts access to protocols they do not
support, as with HTTP to FTP, HTTP to HTTP-over-SSL, etc.

<p> Mappings appropriate to the protocols to be support must be made against
the proxy service.  Of course mapping rules may also be used to control whom or
to what is connected.

<div class="blockof code">[[the.proxy.service:port]]
# support &quot;one-shot&quot; non-proxy to proxy redirect
redirect  /http://*   http://*
redirect  /https://*  https://*
redirect  /ftp://*    ftp://*
# OK to process these (already, or now) proxy format requests
pass  http://*   http://*
pass  https://*  https://*
pass  ftp://*    ftp://*
</div>

<p> The client may the provide the desired URL as the path of the request to
the proxy service.  Notice that the scheme provided in the desired URL can be
any supported by the service and its mappings.

<div class="blockof code">http://the.proxy.service:port/http://the.remote.host/path
http://the.proxy.service:port/https://the.remote.host/path
http://the.proxy.service:port/ftp://the.remote.host/pub/
</div>

<a id="7.6.4" href="#"></a>
<a id="7.6.4.dnswildcardproxy" href="#"></a>
<a id="dnswildcardproxy" href="#"></a>
<h3 class="head"><span class="numb">7.6.4</span><span class="text">DNS Wildcard Proxy</span></h3>

<p> This relies on being able to manipulate host record in the DNS or local name
resolution database.  If a &quot;*.the.proxy.host&quot; DNS (CNAME) record is resolved it
allows any host name ending in &quot;.the.proxy.host&quot; to be resolved to the
corresponding IP address.  Similarly (at least the Compaq TCP/IP Services) the
local host database allows an alias like &quot;another.host.name.proxy.host.name&quot;
for the proxy host name.  Both of these would allow a browser to access  
&quot;another.host.name.proxy.host.name&quot; with it resolved to the proxy service.  The
request &quot;Host:&quot; field would contain &quot;another.host.name.proxy.host.name&quot;.

<p> Using this approach a fully functioning proxy may be implemented for the
browser without actually configuring it for proxy access, where returned HTML
documents contain links that are always correct with reference to the host used
to request them.  This allows the client an <span class="high italic">ad hoc</span> proxy for selected
requests.  For a wildcard (CNAME) record the browser user may enter any host 
name prepended to the proxy service host name and port and have the request
proxied to that host name.  Entering the following URL into the browser
location field

<div class="blockof code">http://the.host.name.the.proxy.service:8080/path
</div>

would result in a standard HTTP proxy request for &quot;/path&quot; being made to
&quot;the.host.name:80&quot;.  With the URL

<div class="blockof code">https://the.host.name.the.proxy.service:8443/path
</div>

an SSL proxy request.  Note that normally the well-known port would be used to
connect to (80 for http: and 443 for https:).  If the final, period-separated
component of the wildcard host name is all digits it is interpreted as a
specific port to connect to.  The example

<div class="blockof code">http://the.host.name.8001.the.proxy.service:8080/path
</div>

would connect to &quot;the.host.name:8001&quot;, and

<div class="blockof code">https://the.host.name.8443.the.proxy.service:8443/path
</div>

to &quot;the.host.name:8443&quot;.

<div class="note"><a id="7.6.4.0.0.1" href="#"></a>
<a id="7.6.4.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

It has been observed that some browsers insist that an all-digit host name
element is a port number despite it being prefixed by a period not a colon. 
These browsers then attempt to contact the host/port directly.  This obviously
precludes using an all-digit element to indicate a target port number with
these browsers.
<hr class="note_hr">
</div>

<p> This wildcard DNS entry approach is a more fully functional analogue to
common proxy behaviour but is slightly less flexible in providing gatewaying
between protocols and does require more care in configuration.  It also relies
on the contents of the request &quot;Host:&quot; field to provide mapping information
(which generally is not a problem with modern browsers).  The mappings must be
performed in two parts, the first to handle the wildcard DNS entry, the second
is the fairly standard rule(s) providing access for proxy processing.

<div class="blockof code">[[the.proxy.service:port1]]
if (host:*.the.proxy.service:port1)
   redirect  *  /http://*
else
   pass  http://*   http://*
endif
</div>

<p> The obvious difference between this and one-shot proxy is the desired host
name is provided as part of the URL host, not part of the request path.  This
allows the browser to correctly resolve HTML links etc.  It is less flexible
because a different proxy service needs to be provided for each protocol
mapping.  Therefore, to allow HTTP to HTTP-over-SSL proxy gatewaying another
service and mapping would be required.

<div class="blockof code">[[the.proxy.service:port2]]
if (host:*.the.proxy.service:port2)
   redirect  *  /https://*
else
   pass  https://*   https://*
endif
</div>

<a id="7.6.5" href="#"></a>
<a id="7.6.5.originatingssl" href="#"></a>
<a id="originatingssl" href="#"></a>
<h3 class="head"><span class="numb">7.6.5</span><span class="text">Originating SSL</span></h3>

<p> This proxy function allows standard HTTP clients to connect to Secure
Sockets Layer (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) services.  This is very
different to the CONNECT service (<a class="link" href="#7.3.connectserving">7.3 CONNECT Serving</a>), allowing scripts
and standard character-cell browsers supporting only HTTP to access secure
services.

<p> Standard username/password authentication is supported (as are all other
standard HTTP request/response interactions).  The use of X.509 client
certificates (<a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a>) to establish
outgoing identity is not currently supported.  

<a id="7.6.5.0.1" href="#"></a>
<a id="7.6.5.enablingssl" href="#"></a>
<a id="enablingssl" href="#"></a>
<h5 class="head"><span class="text">Enabling SSL</span></h5>

<p> Unlike HTTP and FTP proxy it requires the service to be specifically
configured using the [ServiceClientSSL] directive.

<p> There are a number of Secure Sockets Layer related service parameters that
should also be considered (see
<a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
Although most have workable defaults unless [ServiceProxyClientSSLverifyCA] and
[ServiceProxyClientSSLverifyCAfile] are specifically set the outgoing
connection will be established without any checking of the remote server's
certificate.  This means the host's secure service could be considered unworthy
of trust as the credentials have not been established.

<div class="blockof code">[[http://alpha.example.com:8080]]
[ServiceProxy]  enabled
[ServiceClientSSL]  enabled
</div>

<a id="7.7" href="#"></a>
<a id="7.7.tunnelingusingproxy" href="#"></a>
<a id="tunnelingusingproxy" href="#"></a>
<h2 class="head"><span class="numb">7.7</span><span class="text">Tunneling Using Proxy</span></h2>

<p> WASD supports the CONNECT method which effectively allows tunneling of
raw octets through the proxy server.  This facility is most commonly used to
allow secure SSL connections to be established with hosts on the 'other side'
of the proxy server.  This basic mechanism is also used by WASD to provide an
extended range of tunneling services.  The term <span class="high italic">raw</span> is used here
to indicate an 8 bit, bidirectional, asynchronous exchange of octets between
two entities, as a protocol family, not necessarily as an application (but can
be so).  Global proxy serving must be enabled (<a class="link" href="#7.1.1.enablingaproxyservice">7.1.1 Enabling A Proxy Service</a>) and then each service must be configured and mapped according to the
desired mode of tunneling.  Disabling or setting timeouts appropriately on the
mapped service is important if connections are not to be disrupted by general
server timeouts on output and non-progress (quiescent connections).

<a id="7.7.1" href="#"></a>
<a id="7.7.1.serviceproxytunnelconnect" href="#"></a>
<a id="serviceproxytunnelconnect" href="#"></a>
<h3 class="head"><span class="numb">7.7.1</span><span class="text">[ServiceProxyTunnel] CONNECT</span></h3>

<p> A service with this configuration is used as a target for CONNECT proxying
(usually SSL through a firewall).  The client expects an HTTP success (200)
response once the remote connection is established, and HTTP error response if
there is a problem, and once established just relays RAW octets through the
proxy server (classic CONNECT behaviour).

<div class="blockof code"># WASD_CONFIG_SERVICE
[[http://*:8080]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  connect
</div>

<div class="blockof code"># WASD_CONFIG_MAP
[[*:8080]]
if (request-method:connect)
   pass *:443 *:443
   pass * &quot;403 CONNECT only allowed to port 443.&quot;
endif
</div>

<p> This configuration enables CONNECT processing and limits any connect to SSL
tunneling (i.e. port 443 on the remote system).

<a id="7.7.2" href="#"></a>
<a id="7.7.2.serviceproxytunnelraw" href="#"></a>
<a id="serviceproxytunnelraw" href="#"></a>
<h3 class="head"><span class="numb">7.7.2</span><span class="text">[ServiceProxyTunnel] RAW</span></h3>

<p> This allows any raw octet client (e.g. telnet) to connect to the port and
by mapping be tunnelled to another host and port to connect to its service
(e.g. a telnet service).  The usual HTTP responses associated with CONNECT
processing are not provided.

<div class="blockof code"># WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  raw
</div>

<div class="blockof code"># WASD_CONFIG_MAP
[[*:10023]]
if (request-method:connect)
   pass *:0 raw://another.host:23 timeout=none,none,none
endif
pass &quot;403&quot;
</div>

<p> Telnet is used in the example above but the principle equally applies to
any protocol that uses a raw 8 bit, bidirectional, asynchronous exchange of
octets.  Another example might be an SMTP service (port 25).

<a id="7.7.2.0.1" href="#"></a>
<a id="7.7.2.ssltoraw" href="#"></a>
<a id="ssltoraw" href="#"></a>
<h5 class="head"><span class="text">SSL to RAW</span></h5>

<p> Using a tunnel it is possible to put a TLS/SSL (https://) front-end service
to an otherwise plaintext-only service (http://).

<div class="blockof code"># WASD_CONFIG_SERVICE
[[https://tls-host:443]]
[ServiceNonSSLRedirect]  https://tls.host:443
[ServiceProxy]  enabled
[ServiceProxyTunnel]  raw
</div>

<div class="blockof code"># WASD_CONFIG_MAP
[[*:443]]
if (request-method:connect)
   pass *:0 raw://non-tls.host:80
endif
pass &quot;403&quot;
</div>

<a id="7.7.2.0.2" href="#"></a>
<a id="7.7.2.chainingraw" href="#"></a>
<a id="chainingraw" href="#"></a>
<h5 class="head"><span class="text">Chaining RAW</span></h5>

<p> It is possible to have a raw tunnel establish itself through a proxy chain
(<a class="link" href="#7.1.4.proxychaining">7.1.4 Proxy Chaining</a>) by transparently generating an intermediate CONNECT
request to the up-stream proxy server.  Note that not all CONNECT proxy will
allow connection to just any specified port.  For security reasons it it is
quite common to restrict CONNECT to port 443.

<div class="blockof code"># WASD_CONFIG_SERVICE
[[http://*:10025]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  raw
</div>

<div class="blockof code"># WASD_CONFIG_MAP
[[*:10025]]
if (request-method:connect)
   pass *:0 raw://another.host:25 proxy=chain=proxy.host:8080
endif
pass &quot;403&quot;
</div>

<p> Any error in connecting to the chained proxy, making the request,
connecting to the destination, etc. (i.e. any error at all) is not reported. 
The network connection is just dropped.  Use WATCH to establish the cause if
necessary.

<a id="7.7.3" href="#"></a>
<a id="7.7.3.serviceproxytunnelfirewall" href="#"></a>
<a id="serviceproxytunnelfirewall" href="#"></a>
<h3 class="head"><span class="numb">7.7.3</span><span class="text">[ServiceProxyTunnel] FIREWALL</span></h3>

<p> With this configuration a service expects that the first line of text from
the client contains a host name (or IP address) and optional port (e.g.
&quot;the.host.name&quot; or &quot;the.host.name:23&quot;).  This allows a variable destination to
be mapped.  The usual HTTP responses associated with CONNECT processing are not
provided.

<div class="blockof code"># WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  FIREWALL
</div>

<div class="blockof code"># WASD_CONFIG_MAP
[[*:10023]]
if (request-method:connect)
   pass *:* raw://*:23 timeout=none,none,none
   pass * raw://*:23 timeout=none,none,none
endif
pass &quot;403&quot;
</div>

<p> The pass rules force the supplied domain name (and optional port) to be
mapped to the telnet port (23).  Of course the mapping rules could allow the
supplied port to be mapped into the destination if desired.

<a id="7.7.3.0.1" href="#"></a>
<a id="7.7.3.chainingfirewall" href="#"></a>
<a id="chainingfirewall" href="#"></a>
<h5 class="head"><span class="text">Chaining FIREWALL</span></h5>

<p> As with [ServiceProxyTunnel] RAW it is possible to chain FIREWALL services
to an up-stream proxy server. See <a class="link" href="#7.7.2.chainingraw">&lsquo;Chaining RAW&rsquo; in 7.7.2 [ServiceProxyTunnel] RAW</a>.

<a id="7.7.4" href="#"></a>
<a id="7.7.4.encryptedtunnel" href="#"></a>
<a id="encryptedtunnel" href="#"></a>
<h3 class="head"><span class="numb">7.7.4</span><span class="text">Encrypted Tunnel</span></h3>

<p> Up to this point the tunnels have merely been through the proxy server.  It
is possible to establish and maintain ENCRYPTED TUNNELS between WASD servers. 
SSL is used for this purpose.  This is slightly more complex as both ends of
the tunnel need to be configured.

<div class="drawing dfont draw indent">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;<br>
<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;unencrypted&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;WASD&nbsp;proxy&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;ENCRYPTED&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;WASD&nbsp;proxy&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;unencrypted&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;<br>
</div>


<p> This arrangement may be used for any stream-oriented, network protocol
between  two WASD systems.  As it uses standard CONNECT requests (over SSL) it
MAY also be possible to be configured between WASD and non-WASD servers.

<p> The following example is going to maintain an encrypted tunnel between WASD
servers running on systems KLAATU and GORT.  It is designed to allow a user on
KLAATU to connect to a specified port using a telnet client, and have a telnet
session created on GORT, tunnelled between the two systems via an SSL encrypted
connection.

<p> Source of tunnel:

<div class="blockof code"># KLAATU WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy]  enabled
[ServiceClientSSL]  ENABLED
[ServiceProxyTunnel]  RAW
</div>

<div class="blockof code"># KLAATU WASD_CONFIG_MAP
[[*:10023]]
# if the client is on the local subnet
if (remote-addr:192.168.0.0/24 &amp;&amp; request-method:connect)
   pass *:0 https://gort.domain:10443 timeout=none,none,none
endif
pass &quot;403&quot;
</div>

<p> Destination of tunnel:

<div class="blockof code"># GORT WASD_CONFIG_SERVICE
[[https://*:10443]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  CONNECT
</div>

<div class="blockof code"># GORT WASD_CONFIG_MAP
[[*:10443]]
# limit the connection to a specific host
if (remote-addr:192.168.0.10 &amp;&amp; request-method:connect)
   pass *:0 raw://gort.domain:23 timeout=none,none,none 
endif
pass &quot;403&quot;
</div>

<p> When a client connects to the service provided by port 10023 on system
KLAATU  the connection is immediately processed using a pseudo CONNECT request
header.  The service on this port is a proxy allowed to initiate SSL
connections (client SSL).  This service is mapped to system GORT port 10443, an
SSL service that allows the CONNECT method (tunneling).  KLAATU's proxy
initiates an SSL connection with GORT.  When established and the CONNECT
request from KLAATU is received, it is mapped via a raw tunnel (8 bit, etc.) to
its own system  port 23 (the telnet service).  Telnet is in use at both ends
while encrypted by SSL inbetween!  Note the use of network addresses and
general fail rules used to control access to this service, as well as the
disabling of timers that might otherwise shutdown the tunnel.

<a id="7.7.5" href="#"></a>
<a id="7.7.5.encryptedtunnelwithauthentication" href="#"></a>
<a id="encryptedtunnelwithauthentication" href="#"></a>
<h3 class="head"><span class="numb">7.7.5</span><span class="text">Encrypted Tunnel With Authentication</span></h3>

<p> This arrangement is essentially a variation on example 4.  It provides a
cryptographic authentication of the originator (source) of the tunnel.

<p> Source of tunnel:

<div class="blockof code"># KLAATU WASD_CONFIG_SERVICE
[[http://*:10023]]
[ServiceProxy]  enabled
[ServiceClientSSL]  enabled
[ServiceProxyTunnel]  RAW
[ServiceClientSSLcert]  WASD_ROOT:[LOCAL]HTTPD.PEM
</div>

<div class="blockof code"># KLAATU WASD_CONFIG_MAP
[[*:10023]]
# if the client is on the local subnet
if (remote-addr:192.168.0.0/24 &amp;&amp; request-method:connect)
   pass *:0 https://gort.domain:10443 timeout=none,none,none
endif
pass &quot;403&quot;
</div>

<p> Destination of tunnel:

<div class="blockof code"># GORT WASD_CONFIG_SERVICE
[[https://*:10443]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  CONNECT
[ServiceProxyAuth]  PROXY
</div>

<div class="blockof code"># GORT WASD_CONFIG_MAP
[[*:10443]]
# we'll be relying on X509 authentication
if (request-method:connect)
   pass *:0 raw://gort.domain:23 timeout=none,none,none
endif
pass &quot;403&quot;
</div>

<div class="blockof code"># GORT WASD_CONFIG_AUTH
[[*:10443]]
[X509]
* r+w,param=&quot;[VF:OPTIONAL]&quot;,~4EAB3CBC735F8C7977EBB41D45737E37
</div>

<p> This works by configuring the destination service to insist on proxy
authorization.  The authorization realm is X509 which causes the destination to
demand a certificate from the source (<a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a>).  The fingerprint of this certificate is checked against the
authorization rule before the connection is a allowed to procede.

<a id="7.7.6" href="#"></a>
<a id="7.7.6.sharedsshtunnel" href="#"></a>
<a id="sharedsshtunnel" href="#"></a>
<h3 class="head"><span class="numb">7.7.6</span><span class="text">Shared SSH Tunnel</span></h3>

<p> The objective of this <span class="high italic">raw</span>  tunnel variant (see
<a class="link" href="#7.7.2.serviceproxytunnelraw">7.7.2 [ServiceProxyTunnel] RAW</a>) is to allow tunneling 
of Secure Shell (SSH) via a client site proxy server CONNECT which is usually
confined to port 443.  Of course most Web servers are configured to provide SSL
HTTP on port 443.  Sharing of HTTP and SSH on the same port is a little
problematic and involves some protocol detection.  The following explanation of
how it is implemented is so that the reader can understand the requirement for
the &quot;timeout quirk&quot;.

<p> On configured services; WASD <span class="high italic">peeks</span> at the incoming TCP byte stream to
see if it's SSH protocol.  If it is, the socket is associated with a proxy raw
tunneling service and proxy tunneling initiated to a mapped SSH server. However
(just to make it interesting) some SSH clients do not initiate their own
exchange until after the SSH server, and so <span class="high italic">peeking</span> only works for a subset
of clients.  Of course this is a Catch-22 of sorts!  To provide for these
clients; if an input timeout should occur (an SSH client waiting) WASD sets up
the tunnel anyway and begins the proxy.  The proxied SSH server should then
initiate the protocol and the client respond.  The directive [ServiceShareSSH]
configured to be non-zero both enables this facility for a service and sets the
input timeout period (which perhaps should be shorter than the default 30
seconds because such clients will wait that long for any SSH server response).

<p> This approach seems to work well-enough in practice, although users need to
be aware that some clients will pause (for the duration of the timeout period
&ndash; the &quot;timeout quirk&quot;) during initial connection setup.

<div class="blockof code"># WASD_CONFIG_SERVICE
[[https://*:443]
[ServiceShareSSH]  10

[[http://*:10022]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  raw
</div>

<div class="blockof code"># WASD_CONFIG_MAP
[[*:443]
if (request-method:ssh)
   pass * raw://ssh.server.host:22 \
          service=the.proxy.host:10022 \
          timeout=none,none,none
endif

[[*:10022]]
pass &quot;403&quot;
</div>

<p> This example shows an SSL service, the desired SSH service (which can be
local or remote) and the internal proxy service that will provide the
connection.

<a id="7.7.7" href="#"></a>
<a id="7.7.7.complexprivatetunneling" href="#"></a>
<a id="complexprivatetunneling" href="#"></a>
<h3 class="head"><span class="numb">7.7.7</span><span class="text">Complex Private Tunneling</span></h3>

<p> When creating <span class="high italic">raw</span> tunnels between WASD servers, and possibly in other
circumstances, it is often useful to be able to signal <span class="high italic">tunnel purpose</span> to the
remote end.  In this way a single destination port can support multiple
tunneling purposes simply through mapping rules.  An originating end can
<span class="high italic">inject</span> an HTTP request line, or full request, into the established tunnel
connection, which can then be processed by the usual WASD request mapping, and
from that alternate services provided based on the intent signalled by the
originating end.

<p> This somewhat complex but instructive example illustrates the potential
utility and versatility of WASD tunneling.  It involves an originating WASD
server, a destination (service providing) WASD server, and just to make it
interesting an intermediate chained HTTP proxy server (not WASD).  The idea is
to provide access to various application services not necessarily supported by
intermediate HTTP proxies and/or gateways.  Four services will be supported
by the example; SSH, NNTP IMAP and SMTP.

<div class="drawing dfont draw indent">
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;inside&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;firewall&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;outside<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2510;<br>
<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;raw&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;WASD&nbsp;proxy&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;ENCRYPTED&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;other&nbsp;proxy&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;ENCRYPTED&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span>&#x2502;&nbsp;WASD&nbsp;proxy&nbsp;&#x2502;<span class="dnoflip">&#x25c4;</span>&#x2500;&#x2500;raw&#x2500;&#x2500;<span class="dhflip">&#x25c4;</span><br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2518;<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;wasd.internal.net&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;proxy.internal.net&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;wasd.external.net<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;proxy.external.net<br>
<br>
&nbsp;SSH&#x2500;&#x2500;&#x2500;8022&#x2500;&#x2500;&#x2510;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x254e;&nbsp;&nbsp;&nbsp;&nbsp;&#x254e;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x250c;&#x2500;&#x2500;&#x2500;&#x2500;22&#x2500;&#x2500;&#x2500;SSH<br>
SMTP&#x2500;&#x2500;&#x2500;8025&#x2500;&#x2500;&#x253c;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2524;&#x254c;&#x254c;&#x254c;&#x254c;&#x2524;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x2500;&#x253c;&#x2500;&#x2500;&#x2500;&#x2500;25&#x2500;&#x2500;&#x2500;SMTP<br>
NNTP&#x2500;&#x2500;&#x2500;8119&#x2500;&#x2500;&#x2524;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x254e;&#x254c;&#x254c;&#x254c;&#x254c;&#x254e;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x251c;&#x2500;&#x2500;&#x2500;119&#x2500;&#x2500;&#x2500;NNTP<br>
IMAP&#x2500;&#x2500;&#x2500;8143&#x2500;&#x2500;&#x2518;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x254e;&nbsp;&nbsp;&nbsp;&nbsp;&#x254e;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&#x2514;&#x2500;&#x2500;&#x2500;143&#x2500;&#x2500;&#x2500;IMAP<br>
</div>


<a id="7.7.7.0.1" href="#"></a>
<a id="7.7.7.internalservices" href="#"></a>
<a id="internalservices" href="#"></a>
<h5 class="head"><span class="text">Internal Services</span></h5>

<p> These are the services assigned on the WASD server on the inside of the
proxy/gateway.  Note that there is one per application to be tunneled.  For
simplicity each service port number has been selected to parallel the
well-known application port number.  Note that <span class="high italic">proxy</span> is enabled on each
(allowing them to initiate outgoing connections) and each has <span class="high italic">SSL</span> enabled
(further allowing them to initiate encrypted connections).

<div class="blockof code"># client SSH
[[http://*:8022]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  RAW
[ServiceClientSSL]  enabled

# client SMTP
[[http://*:8025]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  RAW
[ServiceClientSSL]  enabled

# client IMAP
[[http://*:8143]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  RAW
[ServiceClientSSL]  enabled

# client NNTP
[[http://*:8119]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  RAW
[ServiceClientSSL]  enabled
</div>

<p> Each client application (i.e. IMAP, SSH) must be configured to connect to
its corresponding service port (e.g. IMAP to 8143, SMTP to 8025).

<a id="7.7.7.0.2" href="#"></a>
<a id="7.7.7.internalmapping" href="#"></a>
<a id="internalmapping" href="#"></a>
<h5 class="head"><span class="text">Internal Mapping</span></h5>

<p> These mappings are made on the WASD server on the inside of the
proxy/gateway.  The rules essentially initiate an outgoing encrypted (SSL)
connection to the host <span class="high italic">wasd.external.net</span> supporting the external WASD proxy
server.  Each is also configured not to connect directly but to request the
chained proxy server <span class="high italic">proxy.internal.net</span> to establish the connection on their
behalf.

<div class="blockof code">!##### SSH #####
[[*:8022]]
pass * https://wasd.external.net:443 notimeout \
proxy=tunnel=request=&quot;CONNECT wasd-ssh&quot; \
proxy=chain=proxy.internal.net:8080

!##### SMTP #####
[[*:8025]]
pass * https://wasd.external.net:443 \
proxy=tunnel=request=&quot;CONNECT external-smtp&quot; \
proxy=chain=proxy.internal.net:8080

!##### NNTP #####
[[*:8119]]
pass * https://wasd.external.net:443 \
proxy=tunnel=request=&quot;CONNECT external-nntp&quot; \
proxy=chain=proxy.internal.net:8080

!##### IMAP #####
[[*:8143]]
pass * https://wasd.external.net:443 \
proxy=tunnel=request=&quot;CONNECT external-imap&quot; \
proxy=chain=proxy.internal.net:8080
</div>

<p> If the up-stream proxy server successfully connects to <span class="high italic">wasd.external.net</span>
port 443 the proxy server allows the byte-stream to be asynchonously and
bidirectionally exchanged with the internal WASD server outgoing connection. 
This internal WASD server has initiated an SSL connection and the external
server port 443 expects SSL so they can now both negotiate an SSL-encrypted
channel essentially directly with each other.

<a id="7.7.7.0.3" href="#"></a>
<a id="7.7.7.externalservices" href="#"></a>
<a id="externalservices" href="#"></a>
<h5 class="head"><span class="text">External Services</span></h5>

<p> The external WASD service configuration is very simple, a single SSL port.

<div class="blockof code"># general SSL service
[[https://wasd.external.net:443]]

# outgoing proxy/tunnel service
[[http://wasd.external.net:1234]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  raw
[ServiceClientSSL]  ENABLED
</div>

<p> Connections to the 443 port are expected to undertake an SSL negotiation to
establish an encrypted channel.  This includes incoming tunnel connections. 
The service on port 1234 is required to support the connections outgoing from
the external WASD server to the application server ports.

<a id="7.7.7.0.4" href="#"></a>
<a id="7.7.7.externalmapping" href="#"></a>
<a id="externalmapping" href="#"></a>
<h5 class="head"><span class="text">External Mapping</span></h5>

<p> These mappings are all applied to requests at port 443 on the external WASD
server <span class="high italic">wasd.external.net</span>.  Each rule checks three request characterstics. 
First, the request method, &quot;CONNECT&quot;.  Second, the request URI, varies
according to the request.  These are the request data injected by the internal
WASD server <span class="high italic">wasd.internal.net</span> using the <span class="high italic">set=proxy=tunnel=request=</span> mapping
rule on the outgoing connection. Third, the originating host
(<span class="high italic">proxy.external.net</span>) address adds an extra filter on from where this
facility may be used.  The respective <span class="high italic">pass</span> of the matching rule then
initiates an outgoing connection to the respective application server's
well-known port.  A timeout is applied to limit connection times.

<div class="blockof code">!# SSH tunneling
[[*:443]]
if (request-method:CONNECT &amp;&amp; \
request-uri:&quot;wasd-ssh&quot; &amp;&amp; \
remote-addr:205.3.*) \
pass * raw://wasd.external.net:22 service=*:1234 timeout=noprogress=00:00:50

!# SMTP tunneling
[[*:443]]
if (request-method:CONNECT &amp;&amp; \
request-uri:&quot;external-smtp&quot; &amp;&amp; \
remote-addr:205.3.*) \
pass * raw://smtp.isp.net:25 service=*:1234 timeout=noprogress=00:00:50

!# NNTP tunneling
[[*:443]]
if (request-method:CONNECT &amp;&amp; \
request-uri:&quot;external-nntp&quot; &amp;&amp; \
remote-addr:205.3.*) \
pass * raw://news.isp.net:119 service=*:1234 timeout=noprogress=00:00:*

!# IMAP tunneling
[[*:443]]
if (request-method:CONNECT &amp;&amp; \
request-uri:&quot;external-imap&quot; &amp;&amp; \
remote-addr:205.3.*) \
pass * raw://imap.isp.net:143 service=*:1234 timeout=noprogress=00:00:50

!# disable general 1234 service usage
[[*:1234]]
pass * 403 &quot;Internal use only!&quot;
</div>

<a id="7.7.7.0.5" href="#"></a>
<a id="7.7.7.exampleinaction" href="#"></a>
<a id="exampleinaction" href="#"></a>
<h5 class="head"><span class="text">Example In Action</span></h5>

<p> Now let's look at an actual example usage.  Consider the internal user's
IMAP application, say Thunderbird, is configured to use an IMAP server at host
<span class="high italic">wasd.internal.net</span> port 8143.  The internal user activates Thunderbird which
then intiates an TCP/IP connection to the configured IMAP server expecting to
commence the IMAP application protocol.

<p> This connection arrives at <span class="high italic">wasd.internal.net</span> port 8143 which has a WASD
<span class="high italic">raw</span> tunnel service listening.  The connection is accepted and request
processing commences.  Mapping rules applied to port 8143 initiate an SSL
connection to host <span class="high italic">wasd.external.net</span> which is not directly accessable
because of the firewall and must be connected to using the HTTP proxy server
<span class="high italic">proxy.internal.net</span> as an intermediary.  This is specified in the same
mapping rule.  The mapping rule also injects an HTTP request header providing
request characteristics that can be identified and acted upon by the external
server.

<p> The internal WASD server initiates a connection to the proxy server
<span class="high italic">proxy.internal.net</span> acting as part of the firewall.  As  it is endeavouring
to initiate  an SSL connection with the external <span class="high italic">wasd.external.net</span> host this
proxy connection uses a CONNECT request specifying <span class="high italic">wasd.external.net</span> port
443.  The proxy server establishes a connection with the host
<span class="high italic">wasd.external.net</span> at port 443.  Once the connection is established it
becomes an asynchronous, bidirectional channel between <span class="high italic">wasd.internal.net</span> and
<span class="high italic">wasd.external.net</span> with the proxy server as a conduit.

<p> The service connection just established is expecting an SSL negotiation in
an attempt to establish an encrypted channel.  When this negotiation concludes
successfully the communications between <span class="high italic">wasd.internal.net</span> and
<span class="high italic">wasd.external.net</span> become opaque to all external listeners including
<span class="high italic">proxy.internal.net</span>.

<p> The encrypted connection now established, the request begins to be processed
by the WASD server at <span class="high italic">wasd.external.net</span>.  A number of mapping rules apply
to port 443.  Each rule compares the injected request method and URI until, in
this case, the <span class="high italic">external-imap</span> rule matches.  This rule specifies that a raw
connection be established with the host <span class="high italic">imap.isp.net</span> at port 143 using the
proxy-capable port 1234 service.  A timeout limits the duration this connection
can be held unused.

<p> The IMAP application server at <span class="high italic">imap.isp.external</span> port 143 accepts the
connection at begins to communicate using the IMAP protocol.

<p> There is now a raw (8 bit, asynchronous, bidirectional) connection from the
Thunderbird client to <span class="high italic">wasd.internal.net</span>, (encrypted) through to
<span class="high italic">proxy.internal.net</span>, (encrypted) through to <span class="high italic">wasd.external.net</span>, and raw
to the IMAP server at <span class="high italic">imap.isp.net</span>.  This raw connection will be used for
communication between Thunderbird and the IMAP server using the IMAP
application protocol.

<a id="7.7.8" href="#"></a>
<a id="7.7.8.tunnellingsource" href="#"></a>
<a id="tunnellingsource" href="#"></a>
<h3 class="head"><span class="numb">7.7.8</span><span class="text">Tunnelling Source</span></h3>

<p> When a tunnel is established into a system the source of that connection (IP
host-name/address and port) becomes obscured.  By setting the path to the
destination port <span class="high italic">proxy=forwarded=for</span> (host name) or
<span class="high italic">proxy=forwarded=address</span> (IP address) the external client can be obtained
using data contained in the logical name WASD_TUNNEL.

<p> Consider tunneling external port 22345 to internal port 22 - Secure Shell.

<div class="blockof code"># WASD_CONFIG_SERVICE
[[http://*:22345]]
[ServiceProxy]  enabled
[ServiceProxyTunnel]  RAW

# WASD_CONFIG_MAP
[[*:22345]]
pass * raw://localhost:22 notimeout
</div>

<p> To Secure Shell the source host and port would be <span class="high italic">localhost</span> and <span class="high italic">some
random port</span>.  It can be useful for the login procedure or other service to
have the actual client host name (or IP address).  Adding the path setting.

<div class="blockof code"># WASD_CONFIG_MAP
[[*:22345]]
pass * raw://localhost:22 notimeout proxy=forwarded=address
</div>

will result in connection data becoming available in the multivalued
logical name WASD_TUNNEL.  Index 0 contains internal data, and then the rest
(1..127) contain one tunneled connection's details each, in the format

<div class="blockof code"><span class="high left italic">internal-host:port&gt;</span>=<span class="high left italic">external-host:port&gt;</span>=<span class="high left italic">client-host:port&gt;</span>
</div>

For example

<div class="blockof code">localhost:46851=www.external.net:22345=mydotcom.org:49201
</div>

<p> Obtaining the SSH source port, say from TT_ACCPORNAM data, the original
client host and port can be searched for with some trivial DCL code.  Adapt to
suit local requirements.

<div class="blockof code">&dollar; if P1 .eqs. &quot;&quot; then P1 = f&dollar;element(1,&quot;:&quot;,f&dollar;getdvi(&quot;TT:&quot;,&quot;TT_ACCPORNAM&quot;))
&dollar; value = &quot;&quot;
&dollar; local = &quot;&quot;
&dollar; service = &quot;&quot;
&dollar; client = &quot;&quot;
&dollar; index = 1
&dollar; index_loop:
&dollar;    value = f&dollar;trnlnm(&quot;WASD_TUNNEL&quot;,&quot;WASD_TABLE&quot;,index)
&dollar;    if value .eqs. &quot;&quot; then goto end_index_loop
&dollar;    local = f&dollar;element(0,&quot;=&quot;,value)
&dollar;    addr = f&dollar;element(0,&quot;:&quot;,local)
&dollar;    port = f&dollar;element(1,&quot;:&quot;,local)
&dollar;    if port .eqs. P1
&dollar;    then
&dollar;       service = f&dollar;element(1,&quot;=&quot;,value)
&dollar;       client = f&dollar;element(2,&quot;=&quot;,value)
&dollar;       goto end_index_loop
&dollar;    endif
&dollar;    index = index + 1
&dollar;    goto index_loop
&dollar; end_index_loop:
&dollar; if f&dollar;trnlnm(&quot;TT_CLIENT&quot;,&quot;LNM&dollar;PROCESS&quot;) .nes. &quot;&quot; -
     then deassign /process TT_CLIENT
&dollar; if client .nes. &quot;&quot; then define /process TT_CLIENT &quot;''client'&quot;
</div>

<p> The tunnel data remains current for at least one minute and may become
unavailable at any time after that.

<div class="note"><a id="7.7.8.0.0.1" href="#"></a>
<a id="7.7.8.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

The source data only reflects the client that connects to that system's services
and so cannot be used across multiple, back-to-back tunnels.
<hr class="note_hr">
</div>

<a id="7.8" href="#"></a>
<a id="7.8.browserproxyconfiguration" href="#"></a>
<a id="browserproxyconfiguration" href="#"></a>
<h2 class="head"><span class="numb">7.8</span><span class="text">Browser Proxy Configuration</span></h2>

<p> The browser needs to be configured to access URLs via the proxy server. 
This is done using two basic approaches, manual and automatic.

<a id="7.8.1" href="#"></a>
<a id="7.8.1.manual" href="#"></a>
<a id="manual" href="#"></a>
<h3 class="head"><span class="numb">7.8.1</span><span class="text">Manual</span></h3>

<p> Most browsers allow the configuration for access via a proxy server.  This
commonly consists of an entry for each of the common Web protocol schemes
(&quot;http:&quot;, &quot;ftp:&quot;, &quot;gopher:&quot;, etc.).  Supply the configured WASD proxy service
host name and port for the HTTP scheme.  This is currently the only one
available.  This would be similar to the following example:

<div class="blockof code">http: www.example.com 8080
</div>

<p> To exclude local hosts, and other servers that do not require proxy access,
there is usually a field that allows a list of hosts and/or domain names for
which the browser should not use proxy access.  This might be something like:

<div class="blockof code">www.example.com,example.com,example.com
</div>

<a id="7.8.2" href="#"></a>
<a id="7.8.2.automatic" href="#"></a>
<a id="automatic" href="#"></a>
<h3 class="head"><span class="numb">7.8.2</span><span class="text">Automatic</span></h3>

<p> A proxy auto-config (PAC) file defines how web browsers and other user
agents can automatically choose the appropriate proxy server (access method)
for fetching a given URL.

<p class="indent"> <a class="link blank" target="_blank" href="https://en.wikipedia.org/wiki/Proxy_auto-config">https://en.wikipedia.org/wiki/Proxy_auto-config</a>

<p> The following is a very simple proxy configuration JavaScript function. 
This specifies that all URL host  names that aren't full qualified, or that are
in the &quot;example.com&quot; domain will be connected to directly, with all other being
accessed via the specified proxy server.

<div class="blockof code">function FindProxyForURL(url,host)
{ 
   if (isPlainHostName(host) &verbar;&verbar;
       dnsDomainIs(host, &quot;.example.com&quot;))
      return &quot;DIRECT&quot;;
   else
      return &quot;PROXY www.example.com:8080; DIRECT&quot;;
}
</div>

<p> This JavaScript is contained in a file with a specific, associated MIME file
type, &quot;application/x-ns-proxy-autoconfig&quot;.  For WASD it is recommended the file
be placed in WASD_ROOT:[LOCAL] and have a file extension of
.PAC (which follows Netscape naming convention).

<p> The following WASD_CONFIG_GLOBAL directive would map the file extension to
the required MIME type:

<div class="blockof code">[AddType]
.PAC  application/x-ns-proxy-autoconfig  -  proxy autoconfig
</div>

<p> This file is commonly made the default document available from the proxy
service.  The following example shows the HTTP&dollar;MAP rules required to do this:

<div class="blockof code">[www.example.com:8080]
pass http://* http://*
pass / /wasd_root/local/proxy.pac
pass *
</div>

<p> All that remains is to provide the browser with the location from which load
this <span class="high italic">automatic proxy configuration</span> file.  In the case of the above set-up
this would be:

<div class="blockof code">http://www.example.com:8080/
</div>

<p> A template for a proxy auto-configuration file may be found at
<a class="link blank" target="_blank" href="/wasd_root/example/proxy_autoconfig.txt">WASD_ROOT:[EXAMPLE]PROXY_AUTOCONFIG.TXT</a>
<!-- source:0800_INSTANCES.WASDOC -->
<hr class="page">
<a id="8." href="#"></a>
<a id="8.instancesandenvironments" href="#"></a>
<a id="instancesandenvironments" href="#"></a>
<h1 class="head"><span class="numb">8.</span><span class="text">Instances and Environments</span></h1>

<div class="TOC2cols2">
<table class="TOC2table">
<tr><td><a href="#8.1.serverinstances"><span class="numb">8.1</span><span class="text">Server Instances</span></a>
<tr><td><a href="#8.1.1.vmsclusteringcomparison"><span class="numb">8.1.1</span><span class="text">VMS Clustering Comparison</span></a>
<tr><td><a href="#8.1.2.considerations"><span class="numb">8.1.2</span><span class="text">Considerations</span></a>
<tr><td><a href="#8.1.3.configuration"><span class="numb">8.1.3</span><span class="text">Configuration</span></a>
<tr><td><a href="#8.1.4.status"><span class="numb">8.1.4</span><span class="text">Status</span></a>
<tr><td><a href="#8.2.serverenvironments"><span class="numb">8.2</span><span class="text">Server Environments</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#7.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#9.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> WASD <span class="high italic">instances</span> and <span class="high italic">environments</span> are two distinct mechanisms for
supporting multiple WASD server processes on a single system.

<p> Server instances are multiple, cooperating server processes
providing the same set of configured resources.

<p> Server environments are multiple, independent server processes
providing differently configured resources.

<a id="8.1" href="#"></a>
<a id="8.1.serverinstances" href="#"></a>
<a id="serverinstances" href="#"></a>
<h2 class="head"><span class="numb">8.1</span><span class="text">Server Instances</span></h2>

<p> The term <span class="high italic">instance</span> is used by WASD to describe an autonomous server
process.  WASD will support multiple server processes running on a single
system, alone  or in combination with multiple server processes running across
a cluster.  This is <span class="high under">not</span> the same as supporting multiple virtual servers (see
<a class="link blank" target="_blank" href="../config/#virtualservices">Virtual Services</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
When multiple instances are configured on a single system they cooperate to
distribute the request load between themselves and share certain essential
resources such as accounting and authorization information.

<div class="note">
<a id="8.1.0.0.1" href="#"></a>
<a id="8.1.warning" href="#"></a>
<a id="warning" href="#"></a>
<h5 class="head center"><span class="text">WARNING</span></h5>
<hr class="note_hr">
Versions earlier than Compaq TCP/IP Services v5.3 and some TCPware v5.<span class="high italic">n</span> (at 
least)  have a problem with socket listen queuing that can cause services to
&quot;hang&quot; (should this happen just disable instances and restart the server). 
Ensure you have the requisite version/ECO/patch installed before activating
multiple instances on production systems!
<hr class="note_hr">
</div>

<a id="8.1.1" href="#"></a>
<a id="8.1.1.vmsclusteringcomparison" href="#"></a>
<a id="vmsclusteringcomparison" href="#"></a>
<h3 class="head"><span class="numb">8.1.1</span><span class="text">VMS Clustering Comparison</span></h3>

<p> The approach WASD has used in providing multiple instance serving may be
compared in many ways to VMS clustering.

<p> A cluster is often described as a loosely-coupled, distributed operating
environment where autonomous processors can join, process and leave (even fail)
independently, participating in a single management domain and communicating
with one another for the purposes of resource sharing and high availability.

<p> Similarly WASD instances run in autonomous, detached processes (across one
or more systems in a cluster) using a common configuration and management
interface, aware of the presence and activity of other instances (via the
Distributed Lock Manager and shared memory), sharing processing load and
providing rolling restart and automatic &quot;fail-through&quot; as required.

<a id="8.1.1.0.1" href="#"></a>
<a id="8.1.1.loadsharing" href="#"></a>
<a id="loadsharing" href="#"></a>
<h5 class="head"><span class="text">Load Sharing</span></h5>

<p> On a multi-CPU system there are performance advantages to having processing
available for scheduling on each.  WASD employs AST (I/O) based processing and
was not originally designed to support VMS kernel threading.  Benchmarking has
shown this to be quite fast and efficient even when compared to a
kernel-threaded server (OSU) across 2 CPUs.  The advantage of multiple CPUs for
a single multi-threaded server also diminishes where a site frequently
activates scripts for processing.  These of course (potentially) require a CPU
each for processing.  Where a system has many CPUs (and to a lesser extent with
only two and few script activations) WASD's single-process, AST-driven design
would scale more poorly.  Running multiple WASD instances addresses this.

<p> <span class="high bold">Of course load sharing is not the only advantage to multiple
instances &hellip;</span>

<a id="8.1.1.0.2" href="#"></a>
<a id="8.1.1.restart" href="#"></a>
<a id="restart" href="#"></a>
<h5 class="head"><span class="text">Restart</span></h5>

<p> When multiple WASD instances are executing on a node and a restart is
initiated only one process shuts down at a time.  Others remain available for
requests until the one restarting is again fully ready to process them itself,
at which point the next commences restart.  This has been termed a
<span class="high italic">rolling restart</span>.  Such behaviour allows server reconfiguration on a
busy site without even a small loss of availability.

<a id="8.1.1.0.3" href="#"></a>
<a id="8.1.1.failthrough" href="#"></a>
<a id="failthrough" href="#"></a>
<h5 class="head"><span class="text">Fail-Through</span></h5>

<p> When multiple instances are executing on a node and one of these exits for
some reason (resource exhaustion, bugcheck, etc.) the other(s) will continue
to process requests.  Of course requests in-progress by the particular instance
at the time of instance failure are disconnected (this contrasts with the
rolling restart behaviour described above).  If the former process has
actually exited (in contrast to just the image) a new server process will
automatically be created after a few seconds.

<p> The term <span class="high italic">fail-through</span> is used rather than <span class="high italic">failover</span> because one server
does not commence processing as another ceases.  All servers are constantly
active with those remaining immediately and automatically taking all requests
in the absence any one (or more) of them.

<a id="8.1.2" href="#"></a>
<a id="8.1.2.considerations" href="#"></a>
<a id="considerations" href="#"></a>
<h3 class="head"><span class="numb">8.1.2</span><span class="text">Considerations</span></h3>

<p> Of course &quot;there is no such thing as a free lunch&quot; and supporting multiple
instances is no exception to this rule.  To coordinate activity between and
access to shared resources, multiple instances use low-level mutexes and the
VMS Distributed Lock Manager (DLM).  This does add some system overhead and a
little latency to request processing, however as the benchmarks indicate
increases in overall request throughput on a multi-CPU system easily offset
these costs.  On single CPU systems the advantages of rolling restart and
fail-through need to be assessed against the small cost on a per-site basis. 
It is to be expected many low activity sites  will not require multiple
instances to be active at all.

<p> When managing multiple instances on a single node it is important to
consider each process will receive a request in round-robin distribution and
that this needs to be considered when debugging scripts, using the Server
Administration page and the likes of WATCH, etc. (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>).

<a id="8.1.3" href="#"></a>
<a id="8.1.3.configuration" href="#"></a>
<a id="configuration" href="#"></a>
<h3 class="head"><span class="numb">8.1.3</span><span class="text">Configuration</span></h3>

<p> If not explicitly configured only one instance is created.  The
configuration directive [InstanceMax] allows multiple instances to be specified
<a class="link blank" target="_blank" href="../config/#globalconfiguration">Global Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
When this is set to an integer that many instances are created and maintained. 
If set to &quot;CPU&quot; then one instance per system CPU is created.  If set to
&quot;CPU-<span class="high italic">integer</span>&quot; then one instance for all but one CPU is created, etc.  The
current limit on instances is eight, although this is somewhat arbitrary.  As
with all requests, Server Administration page access is automatically shared
between instances.  There are occasions when consistent access to a single
instance is desirable.  This is provided via an <span class="high italic">admin service</span> (see
<a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<p> When executing, the server process name appends the instance number to the
&quot;WASD&quot;.  Associated scripting processes are named accordingly.  This example
shows such a system:

<div class="blockof code">Pid      Process Name    State  Pri      I/O       CPU       Page flts  Pages
21600801 SWAPPER         HIB     16        0   0 00:06:53.65         0      0
21600807 CLUSTER_SERVER  HIB     12     1879   0 00:01:14.51        91    112
21600808 CONFIGURE       HIB     10       30   0 00:00:01.46        47     23
&hellip;
21600816 ACME_SERVER     HIB     10    71525   0 00:01:28.08       508    713 M
21600818 SMISERVER       HIB      9    11197   0 00:00:02.29       158    231
21600819 TP_SERVER       HIB      9  1337711   0 00:05:55.78        80    105
&hellip;
216421F1 WASD1:80        HIB      5  5365731   0 00:23:12.86     37182   7912
2164523F WASD2:80        HIB      5  5347938   0 00:23:31.41     38983   7831
2162BA5D WASD_WOTSUP     HIB      3     2111   0 00:00:00.47       735    518
2164ABCF WASD1:80-651    LEF      6    57884   0 00:00:16.71      3562   3417
2164CBDB WASD2:80-612    LEF      4    19249   0 00:00:04.16      3153   3116
21631BDC WASD2:80-613    LEF      5    18663   0 00:00:07.19      3745   3636
2164BBE6 WASD1:80-658    LEF      5     3009   0 00:00:00.94      2359   2263
&hellip;
</div>

<a id="8.1.4" href="#"></a>
<a id="8.1.4.status" href="#"></a>
<a id="status" href="#"></a>
<h3 class="head"><span class="numb">8.1.4</span><span class="text">Status</span></h3>

<p> The instance management infrastructure distributes basic status data to all
instances on the node and/or cluster.  The intent is to provide an easily
comprehended snapshot of multi-instance/multi-node WASD processing status.  The
data comprises:

<ul class="list list0">
<li class="item"> instance name (e.g. &quot;KLAATU::WASD:443&quot;)
<li class="item"> date/time the instance status was last updated
<br> + how long <span class="high italic">ago</span> this was (seconds, minutes, hours, or days)
<li class="item"> date/time the instance last started
<br> + how long <span class="high italic">ago</span> this was (seconds, minutes, hours, or days)
<li class="item"> number of times the instance has started up
<li class="item"> date/time the instance last exited
<br> + how long <span class="high italic">ago</span> this was (seconds, minutes, hours, or days)
<li class="item"> the VMS status at the last exit
<li class="item"> instance WASD version (e.g. &quot;11.2.0&quot;)
<li class="item"> number of requests processed during the preceding minute
<li class="item"> number of requests processed during the preceding sixty minutes
</ul>

<p> The data are constrained to these items due to the need to accomodate it
within a 64 byte lock value block for cluster purposes.  Single node
environments do not utilise the DLM, each instance updating its table entry
directly.

<p> Each node has a table with an entry for every other instance in that WASD
environment.  Instance data are updated once every minute so any instance with
data older than one minute is no longer behaving correctly.  This could be due
to some internal error, or that the instance no longer exists (e.g. been
stopped, exited or otherwise no longer executing).  An entry for an instance
that no longer exists is retained indefinitely, or until a /DO=STATUS=PURGE is
performed removing all such <span class="high italic">expired</span> entries, or a /DO=STATUS=RESET removing
all entries (and allowing those currently executing to repopulate the instance
data over the next minute.

<p> These status data are accessible via command-line and in-browser reports,
intended for larger WASD installations, primarily those operating across
multiple nodes in a cluster.  With the data being stored in a common, another
of those other nodes can provide a per-cluster history even if one or more
nodes become completely non-operational.

<p> This is an example report on a 132 column terminal display.  Due to screen
width constraints the date/time omits the year field of the date.

<div class="blockof code">&dollar; httpd/do=status
    Instance          Ago Up               Ago Count Exit             Ago Status     Version /Min /Hour
    ~~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~~~~~~~~ ~~~~ ~~~~~ ~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~~~ ~~~~~~~ ~~~~ ~~~~~
 1  KLAATU::WASD:80   41s 18-DEC 23:27:57  54m    21 18-DEC 23:27:57  54m %X00000001 11.2.0    2     17
    KLAATU::WASD1:80---1d-17-DEC-02:49:21---1d-----5-17-DEC-02:50:03---1d-%X00000001-11.2.0----3-----15
    KLAATU::WASD2:80---1d-17-DEC-02:49:25---1d-----5-17-DEC-02:50:07---1d-%X00000001-11.2.0----0-----10
    KLAATU::WASD3:80---1d-17-DEC-02:49:29---1d-----6-17-DEC-02:50:11---1d-%X00000001-11.2.0----0------3
    as at 19-DEC-2017 00:22:41
</div>

<p> This provides an example CLI report showing a single node, where a single
instance has been started, changed to a three instance configuration, restarted
so that the three instances have begun processing.  The configuration has been
returned a single instance and then the existing three instances restarted the
previous day, resulting in the original single instance returning to
processing.  That instance was last (re)started some 54 minutes ago (a normal
exit status showing) and its status was last updated some 41 seconds ago.  Note
that the three instances showing white-space struck-through with hyphens are
stale, having last been updated 1 day ago.  Entries older than three minutes
are displayed in this format to differentiate them from current entries.

<p> The same report on an 80 column terminal.  Note that the overt date/time
has been omitted, leaving only the period <span class="high italic">ago</span> the event happened.

<div class="blockof code">&dollar; httpd/do=status
    Instance          Ago   Up Count Exit Status     Version /Min /Hour
    ~~~~~~~~~~~~~~~~ ~~~~ ~~~~ ~~~~~ ~~~~ ~~~~~~~~~~ ~~~~~~~ ~~~~ ~~~~~
 1  KLAATU::WASD:80    5s  58m    21  58m %X00000001 11.2.0    1     18
    KLAATU::WASD1:80---1d---1d-----5---1d-%X00000001-11.2.0----3-----15
    KLAATU::WASD2:80---1d---1d-----5---1d-%X00000001-11.2.0----0-----10
    KLAATU::WASD3:80---1d---1d-----6---1d-%X00000001-11.2.0----0------3
    as at 19-DEC-2017 00:25:05
</div>

<p> Where multiple instances exist, or have existed, and the terminal page size
is greater than 24 lines, HTTPMON displays an equivalent of the 80 column
report at the bottom of the display.

<p> Similarly, the Server Admin report (<a class="link" href="#9.serveradministration">9. Server Administration</a>) shows an
HTML equivalent of the 80 column report immediately below the control and time
panels.

<a id="8.1.4.0.1" href="#"></a>
<a id="8.1.4.usinginstancestatus" href="#"></a>
<a id="usinginstancestatus" href="#"></a>
<h5 class="head"><span class="text">Using Instance Status</span></h5>

<ul class="list list0">
<li class="item"> The strike-through (hyphens) of an instance line immediately indicates
the instance is no longer updating (after 3 minutes).
<br> Clear stale entries using &dollar; HTTPD/DO=STATUS=PURGE.
<li class="item"> The instance name <span class="high italic">Ago</span> shows how long ago it was last updated.
<li class="item"> If the exit <span class="high italic">Ago</span> is more recent than the startup <span class="high italic">Ago</span> the instance
has exited but not restarted.
<br> The exit <span class="high italic">Status</span> can show a non-normal status (i.e. not %X00000001).
<li class="item"> An excessive startup <span class="high italic">Count</span> suggests something amiss.
<li class="item"> Per-minute and/or per-hour request counts that seem atypically low while
instance status seems otherwise normal suggests a networking issue, perhaps
up-stream.
</ul>

<a id="8.2" href="#"></a>
<a id="8.2.serverenvironments" href="#"></a>
<a id="serverenvironments" href="#"></a>
<h2 class="head"><span class="numb">8.2</span><span class="text">Server Environments</span></h2>

<p> WASD server environments allow multiple, distinctly configured environments
to execute on a single system.  Generally, WASD's unlimited virtual servers and
multiple account scripting eliminates the need for multiple execution
environments to kludge these requirements.  However there may be circumstances
that make this desirable; regression and forward-compatibility testing comes to
mind.

<p> See <a class="link blank" target="_blank" href="../install/#serverenvironments">Server Environments</a> in <a class="link blank" target="_blank" href="../install/#0.">WASD Installation</a> for
deltained information on maintaining multiple installations of WASD.
<!-- source:0900_ADMIN.WASDOC -->
<hr class="page">
<a id="9." href="#"></a>
<a id="9.serveradministration" href="#"></a>
<a id="serveradministration" href="#"></a>
<h1 class="head"><span class="numb">9.</span><span class="text">Server Administration</span></h1>

<div class="TOC2cols2">
<table class="TOC2table">
<tr><td><a href="#9.1.accessbeforeconfiguration"><span class="numb">9.1</span><span class="text">Access Before Configuration</span></a>
<tr><td><a href="#9.2.accessconfiguration"><span class="numb">9.2</span><span class="text">Access Configuration</span></a>
<tr><td><a href="#9.3.serverinstances"><span class="numb">9.3</span><span class="text">Server Instances</span></a>
<tr><td><a href="#9.4.httpdserverreports"><span class="numb">9.4</span><span class="text">HTTPd Server Reports</span></a>
<tr><td><a href="#9.5.httpdserverrevise"><span class="numb">9.5</span><span class="text">HTTPd Server Revise</span></a>
<tr><td><a href="#9.6.httpdserveraction"><span class="numb">9.6</span><span class="text">HTTPd Server Action</span></a>
<tr><td><a href="#9.7.httpdcommandline"><span class="numb">9.7</span><span class="text">HTTPd Command Line</span></a>
<tr><td><a href="#9.7.1.accounting"><span class="numb">9.7.1</span><span class="text">Accounting</span></a>
<tr><td><a href="#9.7.2.alignmentfaults"><span class="numb">9.7.2</span><span class="text">Alignment Faults</span></a>
<tr><td><a href="#9.7.3.authentication"><span class="numb">9.7.3</span><span class="text">Authentication</span></a>
<tr><td><a href="#9.7.4.cache"><span class="numb">9.7.4</span><span class="text">Cache</span></a>
<tr><td><a href="#9.7.5.configurationcheck"><span class="numb">9.7.5</span><span class="text">Configuration Check</span></a>
<tr><td><a href="#9.7.6.dclscriptingprocesses"><span class="numb">9.7.6</span><span class="text">DCL/Scripting Processes</span></a>
<tr><td><a href="#9.7.7.decnetscriptingconnections"><span class="numb">9.7.7</span><span class="text">DECnet Scripting Connections</span></a>
<tr><td><a href="#9.7.8.hhelppp"><span class="numb">9.7.8</span><span class="text">Hhelppp!</span></a>
<tr><td><a href="#9.7.9.http2connection"><span class="numb">9.7.9</span><span class="text">HTTP/2 Connection</span></a>
<tr><td><a href="#9.7.10.instances"><span class="numb">9.7.10</span><span class="text">Instances</span></a>
<tr><td><a href="#9.7.11.instancestatus"><span class="numb">9.7.11</span><span class="text">Instance Status</span></a>
<tr><td><a href="#9.7.12.logging"><span class="numb">9.7.12</span><span class="text">Logging</span></a>
<tr><td><a href="#9.7.13.mapping"><span class="numb">9.7.13</span><span class="text">Mapping</span></a>
<tr><td><a href="#9.7.14.networkconnection"><span class="numb">9.7.14</span><span class="text">Network Connection</span></a>
<tr><td><a href="#9.7.15.shutdownandrestart"><span class="numb">9.7.15</span><span class="text">Shutdown and Restart</span></a>
<tr><td><a href="#9.7.16.securesocketslayer"><span class="numb">9.7.16</span><span class="text">Secure Sockets Layer</span></a>
<tr><td><a href="#9.7.17.throttle"><span class="numb">9.7.17</span><span class="text">Throttle</span></a>
<tr><td><a href="#9.7.18.websocket"><span class="numb">9.7.18</span><span class="text">WebSocket</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#8.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#10.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> The online Server Administration facility provides a rich collection of
functionality, including server control, reports and configuration.  Some of
these are intended as general administration tools while others provide more
detailed information intended for server debugging and development purposes. 

<p> The administration interface also provides some basic server statistics in
the lower right panel;&nbsp; local date/time, internet (UTC) equivalent,
client host, connection protocol, and request RTT (the essential network
overhead between client and server), up-times for system, server process,
server executable, CPU consumed by it, along with current connection and
requests-in-progress statistics.  Alerts (in red) also can appear in this
panel.

<a class="imglink" target="_blank" href="./admin.png"><img class="image" src="./admin.png"></a>

<p> The value of the WATCH facility <a class="link" href="#10.watchfacility">10. WATCH Facility</a> as a general
configuration and problem-solving tool cannot be overstated.

<p> All server configuration files, with the exception of the authentication
databases, are plain text and may be modified with any prefered editor. 
However the majority of these can also be administered online through a
browser.  In addition the <span class="high italic">update</span> facility allows some administration of file
system portions of the Web. See <a class="link" href="#12.httpdwebupdate">12. HTTPd Web Update</a>.

<p> Access to many portions of the package is constrained by file protections
and directory listing access files.  See
 for a method for circumventing these
restrictions.

<a id="9.1" href="#"></a>
<a id="9.1.accessbeforeconfiguration" href="#"></a>
<a id="accessbeforeconfiguration" href="#"></a>
<h2 class="head"><span class="numb">9.1</span><span class="text">Access Before Configuration</span></h2>

<p> It is often a significant advantage for the inexperienced administrator on a
new and largely unconfigured installation to be able to gain access to the
facilities offered by Server Administration, particularly the WATCH facility
(<a class="link" href="#10.watchfacility">10. WATCH Facility</a>).  This can be done quite simply by using the
authentication skeleton-key (<a class="link" href="#3.12.skeletonkeyauthentication">3.12 Skeleton-Key Authentication</a>).  This allows
the site administrator to register a username and password from the
command-line that can be used to gain access to the server.  In addition, the
server ensures that requesting an otherwise non-authorized Server
Administration facility generates a challenge which invokes a username/password
dialog at the browser allowing the user to enter the previously registered
username and password and gain access. 

<a id="9.1.0.0.1" href="#"></a>
<a id="9.1.method" href="#"></a>
<a id="method" href="#"></a>
<h5 class="head"><span class="text">Method</span></h5>

<ul class="list">

<li class="item"> Register the skeleton-key username and password.
<div class="blockof code">&dollar; HTTPD == &quot;&dollar;WASD_EXE:HTTPD_SSL.EXE&quot;
&dollar;! HTTPD == &quot;&dollar;WASD_EXE:HTTPD.EXE&quot;
&dollar; HTTPD /DO=AUTH=SKELKEY=<span class="high italic under">username:password</span>
</div>
<p> Note that the username must begin with an underscore, be at least 6
characters, is delimited by a colon, and that the password must be at least 8
characters.  By default this username and password remains valid for 60
minutes.  <span class="high bold">Choose strings that are less-than-obvious!</span>

<li class="item"> Access the server via a browser and use the server Server Administration
facility.

<p class="indent"> <a class="link blank" target="_blank" href="/httpd/-/admin/">https://the.host.name:port/httpd/-/admin/</a>

<li class="item"> After use the skeleton-key may be explicitly cancelled if desired.
<div class="blockof code">&dollar; HTTPD /DO=AUTH=SKELKEY=0
</div>

</ul>

<a id="9.2" href="#"></a>
<a id="9.2.accessconfiguration" href="#"></a>
<a id="accessconfiguration" href="#"></a>
<h2 class="head"><span class="numb">9.2</span><span class="text">Access Configuration</span></h2>

<p> Once established the site should make the Server Administration facility a
configured facility of the site.  The value of its facilities cannot be
overstated.

<p> It is also recommended that for production sites the path to these reports
be controlled via authentication and authorization, using both host and
username restrictions, similar to the following:

<div class="blockof code">[WHATEVER-REALM]
/httpd/-/admin/*  host.ip.addr,~WebMaster,~WhoEverElse,r+w
</div>

<p> If a full authorization environment is not required but
administration via browser is still desired restrict access to browsers
executing on the server system itself, using an appropriate
SYSUAF-authenticated username. Provision of a VMS account for server
administration only is quite feasable, see <a class="link" href="#3.10.6.nilaccessvmsaccounts">3.10.6 Nil-Access VMS Accounts</a>.

<div class="blockof code">[VMS]
/httpd/-/admin/*  #localhost,~<span class="high italic">username</span>,r+w
</div>

<p> If SSL is in use (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) then username/password
privacy is inherently secured via the encrypted communications. To restrict
server administration functions to this secure environment add the following
to the WASD_CONFIG_MAP configuration file:

<div class="blockof code">/httpd/-/admin/*  &quot;403 Access denied.&quot;  ![sc:https]
</div>

<p> When using the <span class="high italic">revise</span> capability of the Server Administration facility it
is necessary to comply with all the requirements for Web update of files. This
is discussed in general terms in <a class="link" href="#12.httpdwebupdate">12. HTTPd Web Update</a>.  Revision of server
configuration files requires path permissions allowing write access for the
username(s) doing the administration, as well as the required ACL on the target
directory (in the following example WASD_ROOT:[LOCAL]).

<div class="blockof code">[VMS]
/httpd/-/admin/*  #localhost,~<span class="high italic">username</span>,r+w
/wasd_root/local/*  #localhost,~<span class="high italic">username</span>,r+w
</div>

<p> It is possible to allow general access to the Server Administration facility
and reports while restricting the ability to initiate server actions such as a
restart! Using the WORLD realm against the path is necessary, for the obvious
security reason, the server administration module will not allow itself to be
used without an authenticated username, provided as a pseudo-authenticated
&quot;WORLD&quot;.

<div class="blockof code">[VMS]
/httpd/-/admin/control/*  #localhost,~<span class="high italic">username</span>,r+w
[WORLD]
/httpd/-/admin/* r
</div>

<p> When GZIP compression is configured for the server (see 
<a class="link blank" target="_blank" href="../config/#gzipencoding">GZIP Encoding</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
it is not by default applied to Server Admin reports or other pages.  It can be
applied, selectively if desired, using mapping rules.  For instance, to apply
it to all requests not from the local intranet a rule similar to the following
can be added before the Server Admin path mapping itself.

<div class="blockof code">if (!remote-addr:192.168.0.0/8) set /httpd/-/admin/* response=GZIP=all
pass /httpd/-/admin/* /httpd/-/admin/*
</div>

<p> GZIP content-encoding can never be applied to WATCH reports.

<a id="9.3" href="#"></a>
<a id="9.3.serverinstances" href="#"></a>
<a id="serverinstances" href="#"></a>
<h2 class="head"><span class="numb">9.3</span><span class="text">Server Instances</span></h2>

<p> With a single instance (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>) access to Server
Administration reports, etc. is always serviced by the one server process.  If
multiple instances are configured then in common with all requests
administration requests will be serviced by any one of the associated processes
depending on the momentary state of the round-robin distribution. 

<p> There are many circumstances where it is preferable to access only the one
server.  This can be accomplished for two differing objectives.

<ol class="list">

<li class="item"> To facilitate access to a specific instance's Server Administration page,
including instance-specific reports etc.  This is provided through the use of
an <span class="high italic">administration service</span> port (see
<a class="link blank" target="_blank" href="../config/#administrationservices">Administration Services</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
available from the Server Administration page.

<li class="item"> The Server Administration page (<a class="link" href="#9.6.controlsection">&lsquo;Control Section&rsquo; in 9.6 HTTPd Server Action</a>) and the
command-line <a class="link" href="#9.7.10.instances">9.7.10 Instances</a>) provides the capability to explicitly set the
number of instances supported, overriding any configuration directive.  After
explicitly setting this, using either means, the server must be restarted.  The
explicit startup setting remains in effect until it is changed to &quot;max&quot;
allowing the WASD_CONFIG_GLOBAL configuration directive [InstanceMax] to once
again determine the number of instances required.

</ol>

<p> The latter approach is particularly useful when performing detailed WATCH
activities (<a class="link" href="#10.watchfacility">10. WATCH Facility</a>).

<p> When multiple per-node instances are executing the Server Administration
pages and reports all include an indication of which process serviced the
request.  When accessing no instance in particular the process name is
presented in parentheses after the page title

<div class="blockof code">HTTPd www.example.com:80
Server Administration  (HTTPd:80)
</div>

When a particular instance's administration service port is being used the
process name is separated from the page title by a hyphen

<div class="blockof code">HTTPd www.example.com:80
Server Administration - HTTPd:80
</div>

<p> Multi-instance status (see <a class="link" href="#8.1.4.status">8.1.4 Status</a>)
snapshots are available via HTTPDMON, the Server Admin main page and can be
reported from the command line using 

<div class="blockof code">&dollar; HTTPD /DO=STATUS
</div>

<a id="9.4" href="#"></a>
<a id="9.4.httpdserverreports" href="#"></a>
<a id="httpdserverreports" href="#"></a>
<h2 class="head"><span class="numb">9.4</span><span class="text">HTTPd Server Reports</span></h2>

<p> The server provides a number of internally generated reports.  Some of
these are of general interest.  Others are more for evaluating WASD behaviour
and performance for development purposes.  Appropriate reports have a refresh
selector allowing the report to be updated at the selected period.  The
following list is in the approximate order in which they occur top-to-bottom,
left-to-right in the menu layout.

<p> It is possible to use this facility standalone, without configuring
authorisation (<a class="link" href="#9.1.accessbeforeconfiguration">9.1 Access Before Configuration</a>).

<ul class="list">

<li class="item"> <span class="high bold">Statistics &ndash; </span>
Server process up-time, CPU-time and other resources consumed, number of
connections processed, number of requests of each HTTP method, type of
processing involved (HTTPd module used), number of bytes processed, etc.

<li class="item"> <span class="high bold">Log+&nbsp; &ndash; </span>
Display the server process (SYS&dollar;OUTPUT) log.
The <span class="high italic">plus</span> displays all accessible server process log files for selection.
Just click on the <span class="high monosp" style="background-color:yellow;">&nbsp;+ </span> in
<span class="highinline monosp _button">&thinsp;Log<span class="high" style="background-color:yellow;">+&thinsp;</span></span>. 

<li class="item"> <span class="high bold">Configuration &ndash; </span>
A tabular summary of the server's current configuration.  This is a convenient
method for viewing the information from the WASD_CONFIG_GLOBAL file.

<li class="item"> <span class="high bold">Services &ndash; </span>
A tabular report listing the current services (virtual servers) and the
service-specific parameters.

<li class="item"> <span class="high bold">Messages &ndash; </span>
A tabular report of the server's current message database, multiple
languages shown if configured that way.

<li class="item"> <span class="high bold">Mapping &ndash; </span>
All loaded mapping rules and any cached USER rule paths.  A selector allows
rules applying only to one particular virtual server to be displayed.

<li class="item"> <span class="high bold">Path Authorization &ndash; </span>
If authorization is in use (<a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a>) this
report lists the paths with associated authorization and access control.

<li class="item"> <span class="high bold">User Authentication &ndash; </span>
List any users that have been authorized since the server was last
started, the realm authorized from, the group it applies to (if any), and what
the user's capabilities are (allowed HTTP methods). A time-stamp and counters
provide additional information.

<li class="item"> <span class="high bold">Secure Sockets &ndash; </span>
The SSL report lists counts of the number of SSL transactions initiated
and completed, along with session cache statistics for the currently connected
SSL service.  It also lists the ciphers available and current session
information.  Other reports allow the Certificate Authority (CA) database to be
view and edited, if available due to X.509 authentication being enabled.

<li class="item"> <span class="high bold">AlnFlt &ndash; </span>
Memory access alignment faults are constantly monitored.   This displays the
accumulated statistics since the most recent startup.  Should always be zero!

<li class="item"> <span class="high bold">Cache &ndash; </span>
Allows monitoring of cache behaviour and performance, as well as the files
currently in the cache (see
<a class="link blank" target="_blank" href="../config/#cacheconfiguration">Cache Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<li class="item"> <span class="high bold">Cluster &ndash; </span>
For clustered systems generates a report similar to the <span class="high italic">System Report</span> but
with a cluster emphasis.

<li class="item"> <span class="high bold">DCL Scripting &ndash; </span>
Provides some DCL, CGI and CGIplus scripting information.

<p>  DCL module statistics (same information as displayed in the server
statistics report).  These are cumulative for the entire life of the system
(unless zeroed).

<p> Process information shows how many actual processes exist at the time of the
report, as indicated by the PID and bolded, non-zero liftime (in minutes). The
<span class="high italic">soft-limit</span> specifies how many CGIplus scripts are allowed to continue
existing before the least used is deleted and the <span class="high italic">hard-limit</span> show how many
processes may actually exist at any one time (the margin allows for process
deletion latency). A count of how many times the CGIplus processes have been
explicitly purged (button available on this report page). The <span class="high italic">life-time</span> of
zombie processes (in minutes, zero implying use of zombies is disabled) and the
number that have been purged due to expiry. CGIplus process life-time (in
minutes, zero implying indefinite), the number purged due to life-time expiry
and the number of CGIplus processes that the server has actually purged
(deleted) to maintain the soft-limit margin specified above.

<p> Each of the allocated process data structures is listed.  There may be zero
up to hard-limit items listed here depending on demand for DCL activities and
the life of the server.  Items with a PID shown indicate an actual process
existing.  This can be a zombie process or a CGIplus process.  If no process is
indicated then the other information represents the state the last time the
item's associated process completed. Information includes the script (URL-style
path) or DCL command, total count of times the item has been used and the last
time it was.  The zombie count indicates the number of time the same process
finished a request and entered the <span class="high italic">zombie</span> state.  The CGIplus column
indicates it is/was a CGIplus script and shows the total number of times that
particular script has been/was used.  If the process is currently in use the
client information show the client host name.

<p> If any processes are associated with any data structure a <span class="high italic">purge</span> button is
provided that forces all processes to be deleted.  This can be useful if a new
script image is compiled and it is required all scripts now use this.  If a
script is currently processing a request the process deletion occurs when that
processing is complete. The purge button <span class="high bold">does not force</span> a process to delete,
so a second button <span class="high bold">forces</span> all processes to delete immediately.  This can be
used to forceably clear errant scripts, etc., but be warned script processing
is indiscrimately stopped!

<li class="item"> <span class="high bold">DECnet Scripting &ndash; </span>
DECnet module information shows totals for DECnet scripting usage and the
DECnet connection list.

<p> This list will grow, up to the specified configuration maximum, as
conconurrent scripting demand occurs. Maintained connections are indicated by
the bolded, non-zero lifetime (in minutes). When this reaches zero the task is
disconnected. The current/last task for that connection is indicated, along
with the number of times the connection was reused and a total number of uses
for that list item.

<p> <span class="high italic">Purge</span> and <span class="high italic">force</span> buttons allow current links to be broken after request
completion or forcibly disconnected.

<li class="item"> <span class="high bold">HTTP &ndash; </span>
Reports HTTP/2 and HTTP/1.<span class="high italic">n</span> statistics together as well as providing a list
of current HTTP/2 connections with some per-connection data. See <a class="link" href="#5.http2">5. HTTP/2</a>
for details.

<li class="item"> <span class="high bold">Lock &ndash; </span>
Lists the names and status of all lock resources used to manage single and
multiple instances across single systems or a cluster.  This report is more
relevant for evaluating and debugging WASD behaviour.

<li class="item"> <span class="high bold">Match &ndash; </span>
To assist with the refinement of string matching patterns (see
<a class="link blank" target="_blank" href="../config/#stringmatching">String Matching</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
This report allows the input of target and match strings and allows direct
access to the server's wildcard and regular expression matching routines. 
Successful matches show the matching elements and a substitution field allows
resultant strings to be assessed.

<li class="item"> <span class="high bold">Memory+&nbsp; &ndash; </span>
Provides a report and does an integrity check on each of the Virtual Memory
(VM) zones employed by the WASD HTTPd.  The <span class="high italic">plus</span> displays all server process
memory zones.
Just click on the <span class="high monosp" style="background-color:yellow;">&nbsp;+ </span> in
<span class="highinline monosp _button">&thinsp;Memory<span class="high" style="background-color:yellow;">+&thinsp;</span></span>. 

<li class="item"> <span class="high bold">Process &ndash; </span>
Lists all processes on the current system owned by the server account. 
From this list a process can be selected to have a &quot;SHOW PROCESS /ALL&quot;
performed on it, displayed on a report page.

<li class="item"> <span class="high bold">Proxy &ndash; </span>
If proxy serving is enabled a report providing statistics on the various
HTTP methods used, network and cache traffic, cache reads and writes, requests
not cachable, and host name lookup are provided.  This may used to help guage
the effectiveness of the cache.

<li class="item"> <span class="high bold">Request &ndash; </span>
Lists in-progress requests (always shows at least your own connection accessing
this report :-)  Additional buttons after the report allow selection of a report
that in addition displays current persistent network connections, requests
currently under throttle control, and if enabled a list (history) of  the most
recent requests (enabled by the configuration  parameter [RequestHistory]). 
Current requests may be selected for <span class="high italic">one-shot</span> WATCH-processing reports from
this page ().

<p> Two other diagnostic tools are available from the same link.  The first,
<span class="high italic">WATCH-peek Report</span>, providing a snapshot of the contents selected internal
fields and data structures of the request.  This is primarily intended as a
problem investiagtion and development tool, and will be  of limited value
without an understanding of server internals.  The second accesses the &quot;peek&quot;
internals plus a one-shot WATCH-processing report. 

<p> For servers handling a great quantity of concurrent traffic this can
generate a very large report.  The <span class="high italic">Supervisor</span> report can also provide a
profile of the servers current load.

<li class="item"> <span class="high bold">System+&nbsp; &ndash; </span>
Shows the system, all users, memory and CPU status as a single report.

<a id="9.4.0.0.0.1" href="#"></a>
<a id="9.4.serverclisysplus" href="#"></a>
<a id="serverclisysplus" href="#"></a>
<h6 class="head display0"><span class="text">Server CLI /SYSPLUS</span></h6>
<div class="note">
<a id="9.4.0.0.1" href="#"></a>
<a id="9.4.systemreportplus" href="#"></a>
<a id="systemreportplus" href="#"></a>
<h5 class="head center"><span class="text">System Report PLUS</span></h5>
<hr class="note_hr">
The standard system report uses a scripting process to present some of this
data in familiar formats (using DCL commands).  If the system is faltering for
some reason (e.g. resource exhaustion) this may not be possible &ndash; and just
when it might be really useful!  It <span class="high bold">may</span> still be possible to gain some
insight into system status using the <span class="high monosp">system+</span> report.  This uses only
internal code and provides significant technical data on system, cluster,
device and process status.
Just click on the <span class="high monosp" style="background-color:yellow;">&nbsp;+ </span> in
<span class="highinline monosp _button">&thinsp;System<span class="high" style="background-color:yellow;">+&thinsp;</span></span>. 
It can also be considered an alternate or supplementary view of the system for
those that don't mind, or who thrive on, more technical content.
<p> <span class="high bold monosp">&dollar; HTTPD /SYSPLUS&nbsp;</span> can provide the same report data at the command-line for
circumstances where the server is unresponsive but an interactive session is
available.  Requires a 132 character width terminal session. The /SYSPLUS
report generator may be used with /OUTPUT=&lt;filename&gt; to capture and store
report data.  See
<a class="link blank" target="_blank" href="../config/#serverimagecommandlineparameters">Server Image Command-Line Parameters</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
<hr class="note_hr">
</div>

<li class="item"> <span class="high bold">Throttle &ndash; </span>
This report provides a list of paths with throttle rules mapped against them. 
It provides the throttle values along with current and history activity
counters.

<li class="item"> <span class="high bold">WATCH &ndash; </span>
This report provides an online, real-time, in-browser-window view of request
processing on the <span class="high bold">running server</span>. See <a class="link" href="#10.watchfacility">10. WATCH Facility</a> for details.

<li class="item"> <span class="high bold">WebDAV &ndash; </span>
Provides configuration and statistics.

<li class="item"> <span class="high bold">WebSocket &ndash; </span>
Lists in-progress WebSocket requests with connection statistics and the
scripting process associated with.

<li class="item"> <span class="high bold">Activity &ndash; </span>
Provide a graphical <span class="high italic">snapshot</span> of server activity of a given period.

<p> The statistics are stored in a permanent global section and so carry-over
between server restarts.  Where multiple instances are executing the data
represents an accumulation of all instances' processing. It is enabled by the
configuration parameter [ActivityDays]. The Server Administration facility
provides several, represented as a period of hours before the present time.
Number of requests and bytes sent to the client are represented by a histogram
with respective means for each by a line graph.  A bar across the column of the
request histogram indicates the peak number of concurrent requests during the
period.  A <span class="high italic">greyed</span> area indicates no data available for that time (i.e.
before the latest server startup, or in the future).

<p> Server startup and shutdown events are indicated by solid, vertical lines
the full height of the graph (see example for a restart event).

<ul class="list simple list0">
<li class="item"> startup - green
<li class="item"> shutdown - black
<li class="item"> restart - grey
<li class="item"> error exit - red
</ul>

<p> Activity data is accumulated on a per-minute basis. This is the maximum
granularity of any report. When reports are selected that can display less than
this one minute granularity (i.e. with periods greater than four hours) the
value shown is the <span class="high bold">peak</span> of the number of minutes sampled for display. This
better represents the load on the server than would a mean of those samples.

<p> The graph is an image map, various regions of which allow the selection of
other reports with different periods or durations. This allows previous periods
to be examined at various levels of detail using the graph for navigation.
Various sections may have no mapping as appropriate to the current report.

<p> For multiple hour reports the upper and lower sections have distinct
functions. The middle 50% of the upper section allows the same end time (most
commonly the current hour) to be examined over twice the current period, in
this case it would be over eight hours. The left 25% allows the previous fours
hours to be viewed (if such data exists), and for non-current reports the right
25% allows the next four hours to be viewed. The lower half can be divided into
sections representing hours or days depending on the period of the current
report. This allows that period to be viewed in greater detail. For single hour
reports this section, of course, is not mapped.

<p> Remember that the URL of the mapped section will be displayed in the status
bar of the browser. As the URL contains time components it is not a difficult
task to decipher the URL displayed to see the exact time and period being
selected.
<a class="imglink" target="_blank" href="./activity.png"><img class="image" src="./activity.png"></a>

</ul>

<a id="9.5" href="#"></a>
<a id="9.5.httpdserverrevise" href="#"></a>
<a id="httpdserverrevise" href="#"></a>
<h2 class="head"><span class="numb">9.5</span><span class="text">HTTPd Server Revise</span></h2>

<p> The server provides a comprehensive configuration revision facility.

<ul class="list">

<li class="item"> <span class="high bold">Configuration &ndash; </span>
A form-driven interface allows the current configuration of the server to be
altered online.  This configuration may then be saved to the on-disk file and
then the server could be restarted using the new parameters.  The source of the
current configuration can be either the server itself (from its volatile,
in-memory parameters) or from the on-disk configuration file.  In addition it
is possible to directly edit and update the on-disk file.

<li class="item"> <span class="high bold">Services &ndash; </span>
A form-driven interface allows service (virtual server) configuration.
It is also possible to directly edit and update the on-disk file.  The server
must be restarted for service changes to take effect.

<li class="item"> <span class="high bold">Messages &ndash; </span>
A form-driven interface allows the the server messages to be modified.
It is also possible to directly edit and update the on-disk file.  The
server can then be restarted to use the modified database (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>).

<li class="item"> <span class="high bold">Mapping &ndash; </span>
No form-driven interface is currently available for changing the mapping rules. 
However it is possible to directly edit and update the on-disk file.  The
mapping rules could then be reloaded, changing the current server rules
(<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>).

<li class="item"> <span class="high bold">Path Authorization &ndash; </span>
No form-driven interface is currently available for changing the path
authorization configuration. However it is possible to directly edit and update
the on-disk file.  The path authorization directives could the be reloaded,
changing the current server authorization (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>).

<li class="item"> <span class="high bold">User Authentication &ndash; </span>
User authentication comprises a number of dialogues that allow the
WASD-specific (HTA) authentication databases to be administered.  These
include:

<p>
<ul class="list simple list0">
<li class="item"> creating databases
<li class="item"> deleting databases
<li class="item"> accessing databases for administering usernames
<li class="item"> listing usernames within databases
<li class="item"> adding usernames
<li class="item"> deleting usernames
<li class="item"> modifying username permissions and other data
<li class="item"> reseting in-server (cached) authentication information
</ul>

<p> <a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a> covers authentication detail.

<li class="item"> <span class="high bold">Site Log &ndash; </span>
This accesses a plain-text file that could be used to record server or other
significant site configuration changes if desired.  Two methods of access are
provided.

<ol class="list list0">
<li class="item"> Site-Log - open the file for editing, placing a date/time/author timestamp
at the top
<li class="item"> Edit - open the file editing
</ol>

<p> The file name and/or location may be specified using the logical name
WASD_SITELOG.

</ul>

<a id="9.5.0.0.1" href="#"></a>
<a id="9.5.enablingserveraccess" href="#"></a>
<a id="enablingserveraccess" href="#"></a>
<h5 class="head"><span class="text">Enabling Server Access</span></h5>

<p> Many of the server activites listed above require server account write
access to the directory in which the configuration files are stored.  Where an
autononmous scripting account is in use this poses minimal threat to server
configuration integrity.

<ol class="list">

<li class="item"> Specifically map the /wasd_root/local/ path and mark it as access always
requiring authorization (ensure this is one on the first mappings in the file
and certainly before any other /wasd_root/ ones).
<div class="blockof code"># WASD_CONFIG_MAP
pass /wasd_root/local/* auth=all
</div>

<li class="item"> Add appropriate authorization rules (example from
<a class="link blank" target="_blank" href="../config/#authorizationconfigurationbasics">Authorization Configuration (Basics)</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
<div class="blockof code"># WASD_CONFIG_AUTH
[&quot;Web Admin&quot;=WASD_WEBADMIN=id]
/httpd/-/admin/* r+w
/wasd_root/local/* r+w
</div>

<li class="item"> Update access to the directory can be applied using the SECHAN utility
(<a class="link" href="#13.12.sechanutility">13.12 SECHAN Utility</a>).
<div class="blockof code">&dollar; SECHAN /WRITE WASD_ROOT:[000000]LOCAL.DIR
&dollar; SECHAN /WRITE WASD_ROOT:[LOCAL]
</div>

<li class="item"> Load the new mapping and authorization rules.
<div class="blockof code">&dollar; HTTPD /DO=MAP
&dollar; HTTPD /DO=AUTH=LOAD
</div>

</ol>

<a id="9.5.0.0.2" href="#"></a>
<a id="9.5.alternativeusingprofile" href="#"></a>
<a id="alternativeusingprofile" href="#"></a>
<h5 class="head"><span class="text">Alternative Using /PROFILE</span></h5>

<p> If a site is using SYSUAF authentication and security profiles enabled using
the /PROFILE startup qualifier (<a class="link" href="#13.12.sechanutility">13.12 SECHAN Utility</a>) then a more restrictive
set up is possible, retaining the default no-access to the [LOCAL] directory. 
This relies on the administering account(s) having read and write access to the
[LOCAL] directory. It is then not necessary to grant that to the server
account.  It is possible to limit the application of VMS user profiles.  This
is an example.

<div class="blockof code"># WASD_CONFIG_MAP
set /wasd_root/local/* profile auth=all
set * noprofile
</div>

<p> To use this approach perform steps 1, 2 and 4 from above, substituting the
following for step 3.

<div class="blockof code">&dollar; SECHAN /PACKAGE WASD_ROOT:[000000]LOCAL.DIR
&dollar; SECHAN /PACKAGE WASD_ROOT:[LOCAL]
&dollar; SECHAN /CONTROL WASD_ROOT:[000000]LOCAL.DIR
</div>

<a id="9.6" href="#"></a>
<a id="9.6.httpdserveraction" href="#"></a>
<a id="httpdserveraction" href="#"></a>
<h2 class="head"><span class="numb">9.6</span><span class="text">HTTPd Server Action</span></h2>

<p> The server allows certain run-time actions to be initiated.  Many of these
functions can also be initiated from the command line, see
<a class="link" href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a>.

<p> When multiple servers are executing on a single node or within a cluster a
JavaScript-driven checkbox appears in the bottom left of the administration
menu. <span class="high bold">Checking that box applies any subsequently selected action to all
servers!</span>

<a id="9.6.0.0.1" href="#"></a>
<a id="9.6.controlsection" href="#"></a>
<a id="controlsection" href="#"></a>
<h5 class="head"><span class="text">Control Section</span></h5>

<ul class="list">

<li class="item"> <span class="high bold">Server Restart/restartNOW/restartQuiet/Exit/exitNOW &ndash; </span>
The difference between restart/exit and restartNOW/exitNOW is the former waits
for any current requests to be completed, while the latter does it immediately
regardless of any current connections.  The restartQuiet variant continues
processing until demand drops to zero for more than one second at which point
it commences restart.  If the browser has JavaScript enabled a cautionary alert
requesting confirmation is generated (otherwise there is no confirmation).

<li class="item"> <span class="high bold">Logging On/Off/Flush &ndash; </span>
The WASD_CONFIG_LOG logical must be configured to allow access logging to be
enabled and disabled from this menu.

<li class="item"> <span class="high bold">Caching On/Off/Purge &ndash; </span>
Caching may be enabled and disabled in an ad hoc fashion using these controls.
When being disabled after being enabled all previous data is retained.  If
subsequently reenabled that data is then again available for use.  This allows
convenient assessment of the subject or even object benefits on the cahing.
If purged all entries in the cache are removed.

<li class="item"> <span class="high bold">Instance Startup &ndash; </span>
An instance value may be set that overrides the configuration directive
[InstanceMax] at next startup.  This may be used to change the number of server
processes on an ad hoc basis.  Reset to &quot;max&quot; to return to configuration
control.  Note that this can be applied to the current node only or to all
servers within a cluster, and that a subsequent restart is required.

<li class="item"> <span class="high bold italic">DO= Button and Field &ndash; </span>
Provides a on-line facility parallel to that provided by the command-line /DO
qualifier (<a class="link" href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a>).  Any directive available via the
command-line can be entered using this interface and applied on a per-node or
per-cluster basis.

</ul>

<a id="9.6.0.0.2" href="#"></a>
<a id="9.6.configurationactionsection" href="#"></a>
<a id="configurationactionsection" href="#"></a>
<h5 class="head"><span class="text">Configuration Action Section</span></h5>

<ul class="list">

<li class="item"> <span class="high bold">Statistics Zeroed &ndash; </span>
All counters are zeroed (except the <span class="high italic">number-of-times-zeroed</span> counter!)

<li class="item"> <span class="high bold">Mapping Rules Reload &ndash; </span>
Reloads the path mapping rules from the on-disk file into the running server,
clears the user SYSUAF mapping cache.

<p> <span class="high bold">Caution!</span> If changing CGIplus script mapping it is advised to restart the
server rather than reload.  Some conflict is possible when using new rules
while existing CGIplus scripts are executing.

<li class="item"> <span class="high bold">Path Authorization Reload &ndash; </span>
Reloads the path authorization directives from the on-disk file into the
running server.

<li class="item"> <span class="high bold">User Authentication Cache Purge &ndash; </span>
For efficiency reasons authenticated user information is cached for a limited
period within the running server.  All this cached information may be
completely purged using this action, forcing subsequent requests to be
reauthenticated from the on-disk database.

</ul>

<a id="9.7" href="#"></a>
<a id="9.7.httpdcommandline" href="#"></a>
<a id="httpdcommandline" href="#"></a>
<h2 class="head"><span class="numb">9.7</span><span class="text">HTTPd Command Line</span></h2>

<p> A foreign command for the HTTPD control functionality will need to be 
assigned in the adminstration users' LOGIN.COM, for example: 

<div class="blockof code">&dollar; HTTPD == &quot;&dollar;WASD_EXE:HTTPD&quot;
</div>
 or (perhaps more likely)

<div class="blockof code">&dollar; HTTPD == &quot;&dollar;WASD_EXE:HTTPD_SSL&quot;
</div>

<p> Some control of the executing server is available from the DCL command
line on the system on which it is executing. This functionality, <span class="high bold">via
the /DO= qualifier</span>, is available to the privileged user.

<p> These directives are communicated from the command-line (and Server
Administration page analogue - <a class="link" href="#9.6.controlsection">&lsquo;Control Section&rsquo; in 9.6 HTTPd Server Action</a>) to the per-node or
per-cluster servers using the Distributed Lock Manager.  On pre-VMS V8.2 the
command buffer is limited to 15 bytes.  From VMS V8.2 the buffer space
available is 63 bytes.  In a cluster all systems must support the larger buffer
before WASD enables it.  The smaller buffer space limits some of the directives
that take free-form parameters (e.g. /DO=DCL=PURGE=USER=DANIEL).

<a id="9.7.0.0.1" href="#"></a>
<a id="9.7.multiserverclusterwide" href="#"></a>
<a id="multiserverclusterwide" href="#"></a>
<h5 class="head"><span class="text">Multi-Server/Cluster-Wide</span></h5>

<p> If multiple servers are executing on a host or cluster it is possible to
control all of them by adding the /CLUSTER or /ALL qualifiers.  Of course,
these commands are available from batch jobs as well as interactively.  In a
clustered WASD environment the same functionality is available via checkboxes
from the online Server Administration facility.

<a id="9.7.0.0.2" href="#"></a>
<a id="9.7.needittobejogged" href="#"></a>
<a id="needittobejogged" href="#"></a>
<h5 class="head"><span class="text">Need it to be jogged?</span></h5>

<p> Can't quite remember what it can (and by implication can't) do?

<div class="blockof code">&dollar; HTTPD /DO=HELP
</div>

<a id="9.7.0.0.3" href="#"></a>
<a id="9.7.serverlogannotation" href="#"></a>
<a id="serverlogannotation" href="#"></a>
<h5 class="head"><span class="text">Server Log Annotation</span></h5>

<p> Significant server events (e.g. restart, exit, mapping rule change) can
often benefit (post-mortem :-) from an annotation in the server process log,
especially in a production environment.  The command-line /NOTE=&quot;&lt;string&gt;&quot; can
be used to insert the supplied string as an ad hoc annotation, or in
conjunction with a /DO=&quot;..&quot; CLI command.

<div class="blockof code">&dollar; HTTPD /NOTE=&quot;just a note test!&quot;
&dollar; HTTPD /DO=RESTART /NOTE=&quot;adding services &quot;&quot;download.&quot;&quot; and &quot;&quot;mail.&quot;&quot;&quot;
</div>

<p> The server process log annotation appear as follows.

<div class="blockof code">%HTTPD-I-NOTE, 10-DEC-2017 22:32:30, just a note test!
%HTTPD-I-NOTE, 10-DEC-2017 22:33:05, adding services &quot;download.&quot; and &quot;mail.&quot;
</div>

<p> Note may also be inserted from the Server Admin main page by using the
[/DO=] button and field and prefixing the string with /NOTE= (string
delimitting quotation marks are not required).  Using the Server Admin page
annotation and commands cannot be combined.

<a id="9.7.1" href="#"></a>
<a id="9.7.1.accounting" href="#"></a>
<a id="accounting" href="#"></a>
<h3 class="head"><span class="numb">9.7.1</span><span class="text">Accounting</span></h3>

<p> Server counters may be zeroed.  These counters are those visible from the
<span class="high italic">statistics</span> Server Admininstration item and when using the HTTPDMON utility.

<div class="blockof code">&dollar; HTTPD /DO=ZERO
</div>

<p> The HTTPDMON utility displays a status line during startup or server exit on
error.  For example:

<div class="blockof code">KLAATU:: 1            HTTPDMON v2.6.0 AXP         Friday, 21-SEP-2018 21:40:54

Process: WASD:80  PID: 00001F9B  User: HTTP&dollar;SERVER  Version: 11.3.0
     Up: 6 18:21:20.96  CPU: 0 00:07:25.54  Startup: 55  Exit: %X00000001
8&lt; snip 8&lt;
     Rx: 1,365,809 (0 err) Tx: 26,965,420 (0 err) (477kB/s)

 STATUS: %HTTPD-I-STARTUP, 21-SEP-2018 21:40:52, WASD:80
</div>

<p> On occasion this can status message become constantly displayed (e.g.
command-line misoperation) with

<div class="blockof code">&dollar; HTTPD /DO=ZERO=STATUS
</div>
 restoring normal request information. 

<a id="9.7.2" href="#"></a>
<a id="9.7.2.alignmentfaults" href="#"></a>
<a id="alignmentfaults" href="#"></a>
<h3 class="head"><span class="numb">9.7.2</span><span class="text">Alignment Faults</span></h3>

<p> Alignment faults can be a significant performance issue and considerable
effort has been invested in completely eliminating them.  This was done using a
internal reporting tool (primarily intended for the WASD developer) available
from the Server Admin interface.  Defining the logical name WASD_ALIGN_MAP to
be a linker map of the build provides additional information.

<div class="blockof code">&dollar; HTTPD /DO=ALIGN=START
&dollar; HTTPD /DO=ALIGN=STOP
&dollar; HTTPD /DO=ALIGN=ZERO
&dollar; HTTPD /DO=ALIGN=FAULT=1
</div>

<a id="9.7.3" href="#"></a>
<a id="9.7.3.authentication" href="#"></a>
<a id="authentication" href="#"></a>
<h3 class="head"><span class="numb">9.7.3</span><span class="text">Authentication</span></h3>

<p> See <a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a>.

<p> The authorization rule file (HTTP&dollar;AUTH) may be reloaded using either of
these variants.

<div class="blockof code">&dollar; HTTPD /DO=AUTH
&dollar; HTTPD /DO=AUTH=LOAD
</div>

<p> The authentication cache may be purged, resulting in re-authentication for
all subsequent authorization-controlled accesses. This may be useful when
disabling authorization or if a user has been locked-out due to too many
invalid password attempts (<a class="link" href="#3.9.authorizationcache">3.9 Authorization Cache</a>).

<div class="blockof code">&dollar; HTTPD /DO=AUTH=PURGE
</div>

<p> A &quot;skeleton-key&quot; username and password may be entered, amongst things
allowing access to the Server Administration facility
(<a class="link" href="#9.serveradministration">9. Server Administration</a>).

<div class="blockof code">&dollar; HTTPD /DO=AUTH=SKELKEY=_&lt;username&gt;:&lt;password&gt;[:&lt;period&gt;]
</div>

<a id="9.7.4" href="#"></a>
<a id="9.7.4.cache" href="#"></a>
<a id="cache" href="#"></a>
<h3 class="head"><span class="numb">9.7.4</span><span class="text">Cache</span></h3>

<p> Server cache control may also be exercised from the Server Administration
page (<a class="link" href="#9.serveradministration">9. Server Administration</a>).  The file cache (see
<a class="link blank" target="_blank" href="../config/#cacheconfiguration">Cache Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
may be enabled, disabled and have the contents  purged (declared invalid and
reloaded) using

<div class="blockof code">&dollar; HTTPD /DO=CACHE=ON
&dollar; HTTPD /DO=CACHE=OFF
&dollar; HTTPD /DO=CACHE=PURGE
</div>

<a id="9.7.5" href="#"></a>
<a id="9.7.5.configurationcheck" href="#"></a>
<a id="configurationcheck" href="#"></a>
<h3 class="head"><span class="numb">9.7.5</span><span class="text">Configuration Check</span></h3>

<p> Changes to configuration files can be validated at the command-line before
reload or restart.  This detects and reports any syntactical and fatal
configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules.

<div class="blockof code">&dollar; HTTPD /DO=AUTH=CHECK
&dollar; HTTPD /DO=CONFIG=CHECK
&dollar; HTTPD /DO=GLOBAL=CHECK
&dollar; HTTPD /DO=MAP=CHECK
&dollar; HTTPD /DO=MSG=CHECK
&dollar; HTTPD /DO=SERVICE=CHECK
</div>

<p> The <span class="high italic">config</span> check sequentially processes each of the <span class="high italic">authorization</span>,
<span class="high italic">global</span>, <span class="high italic">mapping</span>, <span class="high italic">message</span> and <span class="high italic">service</span> configuration files.

<p> If additional server startup qualifiers are required to enable specific
configuration features then these must also be provided when checking.  For
example:

<div class="blockof code">&dollar; HTTPD /DO=AUTH=CHECK /SYSUAF /PROFILE
</div>

<a id="9.7.6" href="#"></a>
<a id="9.7.6.dclscriptingprocesses" href="#"></a>
<a id="dclscriptingprocesses" href="#"></a>
<h3 class="head"><span class="numb">9.7.6</span><span class="text">DCL/Scripting Processes</span></h3>

<p> These commands can be useful for flushing any currently executing CGIplus
applications from the server, enabling a new version to be loaded with the
next access. See &quot;Scripting Environment&quot; document.

<p> All scripting processes, busy with a request or not, can be deleted (this
may cause the client to lose data).

<div class="blockof code">&dollar; HTTPD /DO=DCL=DELETE
</div>

<p> A gentler alternative is to delete idle processes and mark busy ones for
deletion when completed processing.

<div class="blockof code">&dollar; HTTPD /DO=DCL=PURGE
</div>

<p> A more selective DELETE and PURGE is possible, where user name, script name,
or script file name is supplied and only matching tasks have the specified
action peformed.

<div class="blockof code">&dollar; HTTPD /DO=DCL=PURGE=USER=<span class="high italic">username</span>
&dollar; HTTPD /DO=DCL=PURGE=SCRIPT=<span class="high italic">script-path</span>
&dollar; HTTPD /DO=DCL=PURGE=FILE=<span class="high italic">script-file-name</span>
</div>

<p> When using the proctor facility
(<a class="link blank" target="_blank" href="../scripting/#scriptproctor">Script Proctor</a> in <a class="link blank" target="_blank" href="../scripting/#0.">WASD Scripting</a>)
revised rules in WASD_CONFIG_GLOBAL may be <span class="high italic">applied</span> to the running server
(proctored scripting processes created and deleted), or merely <span class="high italic">loaded</span> into
the server ruleset (requiring subsequent DCL=PURGE or DCL=DELETE to activate). 

<div class="blockof code">&dollar; HTTPD /DO=DCL=PROCTOR=APPLY
&dollar; HTTPD /DO=DCL=PROCTOR=LOAD
</div>

<a id="9.7.7" href="#"></a>
<a id="9.7.7.decnetscriptingconnections" href="#"></a>
<a id="decnetscriptingconnections" href="#"></a>
<h3 class="head"><span class="numb">9.7.7</span><span class="text">DECnet Scripting Connections</span></h3>

<p> All DECnet connections, busy with a request or not, can be disconnected
(this may cause the client to lose data).

<div class="blockof code">&dollar; HTTPD /DO=DECNET=DISCONNECT
</div>

<p> Purging is a better alternative, disconnecting idle tasks and marking busy
ones for disconnection when complete.

<div class="blockof code">&dollar; HTTPD /DO=DECNET=PURGE
</div>

<a id="9.7.8" href="#"></a>
<a id="9.7.8.hhelppp" href="#"></a>
<a id="hhelppp" href="#"></a>
<h3 class="head"><span class="numb">9.7.8</span><span class="text">Hhelppp!</span></h3>

<div class="blockof code">&dollar; HTTPD /DO=HELP

  o  ALIGN=        START, STOP, ZERO with [&lt;buf-size&gt;,&lt;items&gt;,&lt;mask&gt;]
  o  AUTH          reload authorization file
  o  AUTH=CHECK    elementary check of authorization file
&hellip;
  o  ZERO          zero all accounting
  o  ZERO=NOTICED  zero the 'errors noticed' accounting
  o  ZERO=PROXY    zero proxy accounting

&dollar;
</div>

<a id="9.7.9" href="#"></a>
<a id="9.7.9.http2connection" href="#"></a>
<a id="http2connection" href="#"></a>
<h3 class="head"><span class="numb">9.7.9</span><span class="text">HTTP/2 Connection</span></h3>

<p> Disconnect idle HTTP/2 connections.

<div class="blockof code">&dollar; HTTPD /DO=HTTP2=PURGE
</div>

<p> All HTTP/2 connections can be disconnected (this may cause clients to lose
data), or a specific connection number.

<div class="blockof code">&dollar; HTTPD /DO=HTTP2=PURGE=ALL
&dollar; HTTPD /DO=HTTP2=PURGE=<span class="high italic">number</span>
</div>

<a id="9.7.10" href="#"></a>
<a id="9.7.10.instances" href="#"></a>
<a id="instances" href="#"></a>
<h3 class="head"><span class="numb">9.7.10</span><span class="text">Instances</span></h3>

<p> The number of server instances (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>) may be set
from the command line.  This overrides any configuration file directive and
applies at the next startup.  Any configuration directive value may be used
from the command line.

<div class="blockof code">&dollar; HTTPD /DO=INSTANCE=MAX
&dollar; HTTPD /DO=INSTANCE=CPU
&dollar; HTTPD /DO=INSTANCE=<span class="high italic">integer</span>
</div>

<p> <span class="high bold">Note that the server must be restarted for this to take effect</span>, that this
can be applied to the current node only or to all servers within a cluster, and
that it remains in effect until explicitly changed to &quot;MAX&quot; allowing the
WASD_CONFIG_GLOBAL configuration directive [InstanceMax] to once again
determine the number of instances required.  The same functionality is
available from the Server Administration page (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>).

<p> There are also directives to assist with WATCH activities
(<a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>).

<div class="blockof code">&dollar; HTTPD /DO=INSTANCE=PASSIVE
&dollar; HTTPD /DO=INSTANCE=ACTIVE
</div>

<a id="9.7.11" href="#"></a>
<a id="9.7.11.instancestatus" href="#"></a>
<a id="instancestatus" href="#"></a>
<h3 class="head"><span class="numb">9.7.11</span><span class="text">Instance Status</span></h3>

<p> Multi-instance (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>) status (see <a class="link" href="#8.1.4.status">8.1.4 Status</a>)
can be reported from the command line using

<div class="blockof code">&dollar; HTTPD /DO=STATUS
</div>

<p> In addition, stale entries in the status table may be purged using

<div class="blockof code">&dollar; HTTPD /DO=STATUS=PURGE
</div>

and the table completely emptied then repopulated over the next minute using

<div class="blockof code">&dollar; HTTPD /DO=STATUS=RESET
</div>

<a id="9.7.12" href="#"></a>
<a id="9.7.12.logging" href="#"></a>
<a id="logging" href="#"></a>
<h3 class="head"><span class="numb">9.7.12</span><span class="text">Logging</span></h3>

<p> Server logging control may also be exercised from the server administration
menu (<a class="link" href="#9.serveradministration">9. Server Administration</a>).

<p> Open the access log file(s). 

<div class="blockof code">&dollar; HTTPD /DO=LOG=OPEN
</div>

<p> Close the access log file(s). 

<div class="blockof code">&dollar; HTTPD /DO=LOG=CLOSE
</div>

<p> Close then reopen the access log file(s). 

<div class="blockof code">&dollar; HTTPD /DO=LOG=REOPEN
</div>

<p> Unwritten log records may be flushed to the file(s).

<div class="blockof code">&dollar; HTTPD /DO=LOG=FLUSH
</div>

<a id="9.7.13" href="#"></a>
<a id="9.7.13.mapping" href="#"></a>
<a id="mapping" href="#"></a>
<h3 class="head"><span class="numb">9.7.13</span><span class="text">Mapping</span></h3>

<p> See
<a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<p> The mapping rule file (WASD_CONFIG_MAP) may be reloaded using either of these
variants.

<div class="blockof code">&dollar; HTTPD /DO=MAP
&dollar; HTTPD /DO=MAP=LOAD
</div>

<a id="9.7.14" href="#"></a>
<a id="9.7.14.networkconnection" href="#"></a>
<a id="networkconnection" href="#"></a>
<h3 class="head"><span class="numb">9.7.14</span><span class="text">Network Connection</span></h3>

<p> Current network connections can be listed at the CLI.

<div class="blockof code">&dollar; HTTPD /DO=NET=LIST
</div>

<p> This can display in an 80 character terminal depending on column widths
(e.g. service and client names) but in some circumstances will require 132
characters to use effectively.  The CLI command requests the running server to
generate a report and return that via the &dollar;BRKTHRU service.

<p> Note that with HTTP/1.n there is a one-to-one relationship between requests
in progress and a network connection, displayed as a single integer, e.g.
<span class="high monosp">1651</span>.  With HTTP/2 there can be a many to one, where listed &quot;connections&quot;
being processed (i.e. requests in progress) are <span class="high italic">virtual</span> connections being
transported by an independent actual connection, and displayed as
<span class="high monosp">1639-&gt;1632</span>, where <span class="high monosp">-&gt;1632</span> is the actual connection.

<div class="blockof code">Connect     Service / Request    Client      Time      Duration
----------  -------------------  ----------  --------  --------
1651        https:wasd.lan:4443  router.lan  08:05:02  6.636s
            [persistent:4]
1639-&gt;1632  https:wasd.lan:443   router.lan  08:00:52  4.147s
            GET /httpd/-/admin/report/WATCH?rqp=1&amp;rsp=1&amp;con=1&amp;err=1&amp;htp=i&amp;cl...
1626-&gt;1606  https:wasd.lan:443   router.lan  07:59:57  00:10:45
            GET /cgi-bin/smonitor?classes=&amp;MODES=2&amp;PROCESSES=3&amp;SYSTEM=1&amp;inte...
-&gt;1632      https:wasd.lan:443   router.lan  08:00:36  19.88s
            current:1 peak:1 count:5
-&gt;1606      https:wasd.lan:443   router.lan  07:25:41  00:35:14
            current:1 peak:4 count:13

1 HTTP/1.n, 2 via HTTP/2, 2 HTTP/2, 17-SEP-2021 07:58:17
</div>

<p> Disconnect <span class="high italic">idle</span> (persistent HTTP/1.n and HTTP/2) connections.

<div class="blockof code">&dollar; HTTPD /DO=NET=PURGE
</div>

<p> All network connections can be disconnected (this may cause clients to
lose data), selectively idle HTTP/1.n or HTTP/2 connections, a specific
connection number and those matching the specified URI.

<div class="blockof code">&dollar; HTTPD /DO=NET=PURGE=ALL
&dollar; HTTPD /DO=NET=PURGE=HTTP1
&dollar; HTTPD /DO=NET=PURGE=HTTP2
&dollar; HTTPD /DO=NET=PURGE=<span class="high italic">number</span>
&dollar; HTTPD /DO=NET=PURGE=URI=<span class="high italic">pattern</span>
</div>

<p> Additionally, network connection acceptance can be suspended (leaving
in-progress requests to complete), suspended and in-progress disconnected, and
resumed.

<div class="blockof code">&dollar; HTTPD /DO=NET=SUSPEND
&dollar; HTTPD /DO=NET=SUSPEND=NOW
&dollar; HTTPD /DO=NET=RESUME
</div>

<a id="9.7.15" href="#"></a>
<a id="9.7.15.shutdownandrestart" href="#"></a>
<a id="shutdownandrestart" href="#"></a>
<h3 class="head"><span class="numb">9.7.15</span><span class="text">Shutdown and Restart</span></h3>

<p> Server shutdown may also be exercised from the Server Administration page
(<a class="link" href="#9.serveradministration">9. Server Administration</a>).

<p> The server may be shut down, without loss of existing client requests.
Connection acceptance is stopped and any existing requests continue to be
processed until conclusion.

<div class="blockof code">&dollar; HTTPD /DO=EXIT
</div>

<p> The server may be immediately and unconditionally shut down.

<div class="blockof code">&dollar; HTTPD /DO=EXIT=NOW
</div>

<p> The server may be restarted, without loss of existing client requests.
Connection acceptance is stopped and any existing requests continue to be
processed until conclusion.  This effectively causes the server to exit
normally and the DCL <span class="high italic">wrapper</span> procedure to restart it.

<div class="blockof code">&dollar; HTTPD /DO=RESTART
</div>

<p> The <span class="high italic">now</span> variant restarts the server immediately regardless of existing
connections.

<div class="blockof code">&dollar; HTTPD /DO=RESTART=NOW
</div>

<p> The when&ndash; <span class="high italic">quiet</span> variant restarts the server whenever request processing
drops to zero for more than one second.  It allows (perhaps non-urgent) changes
to be put into effect through restart when everything has gone &quot;quiet&quot; and no
demands are being placed on the server.

<div class="blockof code">&dollar; HTTPD /DO=RESTART=QUIET
</div>

<p> Significant server events such as these are prime candidates for server log
annotation!

<div class="blockof code">&dollar; HTTPD /DO=RESTART=NOW /NOTE=&quot;Restarting the server just so I can note it :-)&quot;
</div>

<a id="9.7.16" href="#"></a>
<a id="9.7.16.securesocketslayer" href="#"></a>
<a id="securesocketslayer" href="#"></a>
<h3 class="head"><span class="numb">9.7.16</span><span class="text">Secure Sockets Layer</span></h3>

<p> If the optional SSL component is installed and configured these directives
become effective.

<p> If X.509 authentication is enabled the Certificate Authority (CA)
verification list can be reloaded.

<div class="blockof code">&dollar; HTTPD /DO=SSL=CA=LOAD
</div>

<p> Server certificates, after being updated, may be reloaded into the running
services (i.e. without restart).  This is a synonym for /DO=SERVICE=LOAD.

<div class="blockof code">&dollar; HTTPD /DO=SSL=CERT=LOAD
</div>

<p> If a private key password is not included with the encode key it is
requested by the server during startup.  The following example shows the
directive and the resulting prompt.  When entered the password is not echoed.

<div class="blockof code">&dollar; HTTPD /DO=SSL=KEY=PASSWORD
Enter private key password []:
</div>

<a id="9.7.17" href="#"></a>
<a id="9.7.17.throttle" href="#"></a>
<a id="throttle" href="#"></a>
<h3 class="head"><span class="numb">9.7.17</span><span class="text">Throttle</span></h3>

<p> Unconditionally release all queued requests for immediate processing.

<div class="blockof code">&dollar; HTTPD /DO=THROTTLE=RELEASE
</div>

<p> Unconditionally terminate all requests queued waiting for processing. 
Clients receive a 503 &quot;server too busy&quot; response.

<div class="blockof code">&dollar; HTTPD /DO=THROTTLE=TERMINATE
</div>

<p> For VMS V8.2 and later, a more selective RELEASE and TERMINATE is possible. 
A user name or script name can be supplied and only matching requests have the
specified action peformed.

<div class="blockof code">&dollar; HTTPD /DO=THROTTLE=TERMINATE=REMOTE=<span class="high italic">pattern</span>
&dollar; HTTPD /DO=THROTTLE=TERMINATE=SCRIPT=<span class="high italic">pattern</span>
</div>

<a id="9.7.18" href="#"></a>
<a id="9.7.18.websocket" href="#"></a>
<a id="websocket" href="#"></a>
<h3 class="head"><span class="numb">9.7.18</span><span class="text">WebSocket</span></h3>

<p> Unconditionally disconnects all WebSocket applications.

<div class="blockof code">&dollar; HTTPD /DO=WEBSOCKET=DISCONNECT
</div>

<p> For VMS V8.2 and later, more selective disconnects are possible. 
Disconnects WebSocket applications with connection number, with matching script
names, and with matching scripting account usernames, respectively.

<div class="blockof code">&dollar; HTTPD /DO=WEBSOCKET=DISCONNECT=<span class="high italic">number</span>
&dollar; HTTPD /DO=WEBSOCKET=DISCONNECT=SCRIPT=<span class="high italic">pattern</span>
&dollar; HTTPD /DO=WEBSOCKET=DISCONNECT=USER=<span class="high italic">pattern</span>
</div>

<!-- source:1000_WATCH.WASDOC -->
<hr class="page">
<a id="10." href="#"></a>
<a id="10.watchfacility" href="#"></a>
<a id="watchfacility" href="#"></a>
<h1 class="head"><span class="numb">10.</span><span class="text">WATCH Facility</span></h1>

<div class="TOC2cols2">
<table class="TOC2table">
<tr><td><a href="#10.1.serverinstances"><span class="numb">10.1</span><span class="text">Server Instances</span></a>
<tr><td><a href="#10.2.eventcategories"><span class="numb">10.2</span><span class="text">Event Categories</span></a>
<tr><td><a href="#10.3.requestfiltering"><span class="numb">10.3</span><span class="text">Request Filtering</span></a>
<tr><td><a href="#10.4.reportformat"><span class="numb">10.4</span><span class="text">Report Format</span></a>
<tr><td><a href="#10.5.usagesuggestions"><span class="numb">10.5</span><span class="text">Usage Suggestions</span></a>
<tr><td><a href="#10.6.commandlineuse"><span class="numb">10.6</span><span class="text">Command-Line Use</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#9.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#11.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> The WATCH facility is a powerful adjunct in server administration. From the
Server Administration facility (<a class="link" href="#9.serveradministration">9. Server Administration</a>) it provides an
<span class="high bold">online, real-time,  in-browser-window view of request processing in the
running server</span>. The ability to observe live request processing on an ad hoc
basis, without changing server configuration or shutting-down/restarting the
server process, makes this facility a great configuration and problem
resolution tool. It allows (amongst other uses)

<ul class="list simple list0">
<li class="item"> assessment of mapping rules
<li class="item"> assessment of authorization rules
<li class="item"> investigation of request processing problems
<li class="item"> observation of script interaction
<li class="item"> general observation of server behaviour
</ul>

<p> A single client per server process can access the WATCH facility at any
one time.  It can be used in one of two modes.

<ul class="list">

<li class="item"> As a <span class="high italic">one-shot</span>, one-off WATCH of a particular request.  This is
available from the <span class="high italic">Request Report</span> page of the Server Administration
facility.  In this case the single indicated request is tagged to be WATCHed
in all categories (see below) for the duration of the request (or until the
client stops WATCHing).

<li class="item"> As described in the following chapter the server and all new requests
being processed are candidates for being WATCHed.  Categories are selected
before initiating the WATCH and the report can be generated for a
user-specified number of seconds or aborted at any time using the browser's
<span class="high italic">stop</span> button.

</ul>

<p> Options immediately below the duration selector allows the WATCH output
to concurrently be included in the server process log.  This allows a permanent
record (at least as permanent as server logs) to be simply produced.

<a id="10.1" href="#"></a>
<a id="10.1.serverinstances" href="#"></a>
<a id="serverinstances" href="#"></a>
<h2 class="head"><span class="numb">10.1</span><span class="text">Server Instances</span></h2>

<p> With a single instance (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>) access to WATCH is
always through the one server process.  If multiple instances are configured
WATCH requests, in common with all others, will be serviced by any one of the
associated processes depending on the momentary state of the round-robin
distribution.

<p> This is often an issue for request WATCHing.  The simplest scenario
involves two instances.  When the WATCH report is activated it will be serviced
by the first process, when the request wishing to be WATCHed is accessed it (in
the absence of any other server activity) will be serviced by the other process
and will not be reported by WATCH on the first.

<p> The solution is to suspend the round-robin request processing for the period
of the WATCH activity.  This does not shut any instance down but instead makes
all but the supervisor instance quiescent.  (Technically, it dequeues all the
listening I/Os from non-supervisor instance server sockets, making the TCP/IP
network driver send all connection requests to the one instance left with
listening I/Os.)  It is just a matter of making the non-supervisor instances
active again when the WATCH activity is concluded.

<p> This may be done from the command-line using

<div class="blockof code">&dollar; HTTPD /DO=INSTANCE=PASSIVE
&dollar; HTTPD /DO=INSTANCE=ACTIVE
</div>
 or using the Server Administration facility
() where there are [Active] and [Passive] buttons
available when multiple instances are in use.  Neither transition disrupts any
requests being established or in-progress.

<a id="10.2" href="#"></a>
<a id="10.2.eventcategories" href="#"></a>
<a id="eventcategories" href="#"></a>
<h2 class="head"><span class="numb">10.2</span><span class="text">Event Categories</span></h2>

<p> An <span class="high italic">event</span> is considered any significant point for which the server code
has a reporting call provided. These have been selected to provide maximum
information with minimum clutter and impact on server performance. Obvious
examples are connection acceptance and closure, request path resolution, error
report generation, network reads and writes, etc. Events are collected together
into groupings to allow clearly defined areas of interest to be selected for
reporting.

<a class="imglink" target="_blank" href="./watch.png"><img class="image" src="./watch.png"></a>

<p> The report menu provides for the inclusion of any combination of the
following categories.

<a id="10.2.0.0.1" href="#"></a>
<a id="10.2.request" href="#"></a>
<a id="request" href="#"></a>
<h5 class="head"><span class="text">Request</span></h5>

<ul class="list">

<li class="item"> <span class="high bold">Processing &ndash; </span>
Each major step in a request's progress.  For example, path resolution and
final response status.

<li class="item"> <span class="high bold">Header &ndash; </span>
Provides the HTTP request header as a section of blank-line terminated text.

<li class="item"> <span class="high bold">Body &ndash; </span>
The content (if a POST or PUT method) of the request.   This is provided as a
hexadecimal dump on the  left and with printable characters rendered on the
right, 32 bytes per line.

</ul>

<a id="10.2.0.0.2" href="#"></a>
<a id="10.2.response" href="#"></a>
<a id="response" href="#"></a>
<h5 class="head"><span class="text">Response</span></h5>

<ul class="list">

<li class="item"> <span class="high bold">Processing &ndash; </span>
Each major step in generating a response to the request. These generally
reflect calls to a major server module such as file CACHE, FILE access,
INDEX-OF, SSI processing, etc. One or more of these events may occur for each
request. For instance a directory listing will show an INDEX-OF call and then
usually a FILE call as any read-me file is accessed.

<li class="item"> <span class="high bold">Header &ndash; </span>
The blank-line terminated HTTP header to the response. Only server-generated
headers are included. Scripts that provide a full HTTP stream do not have the
header explicitly reported. The response body category must be enabled to
observe these (indicated by a STREAM notation).

<li class="item"> <span class="high bold">Body &ndash; </span>
The content of the response.   This is provided as a hexadecimal dump on the
left and with printable characters rendered on the right, 32 bytes per line.
Some requests also generate very large responses which will clutter output.
Generally this category would be used when investigating specific request
response body problems.

</ul>

<a id="10.2.0.0.3" href="#"></a>
<a id="10.2.general" href="#"></a>
<a id="general" href="#"></a>
<h5 class="head"><span class="text">General</span></h5>

<ul class="list">

<li class="item"> <span class="high bold">Connection &ndash; </span>
Each TCP/IP connection acceptance and closure. The connect shows which service
the request is using (scheme, host name and port).

<li class="item"> <span class="high bold">Path Mapping &ndash; </span>
This, along with the authorization report, provides one of the most useful
aspects of the WATCH facility. It comprises an event line indicating the path
to be mapped (it can also show a VMS file specification if a <span class="high italic">reverse-mapping</span>
has been requested). Then as each rule is processed a summary showing current
path, match &quot;Y&quot;/&quot;N&quot; for each path template and any conditional, then the result
and conditional. Finally an event entry shows the resulting path, VMS file
specification, any script name and specification resolved. The path mapping
category allows the administrator to directly assess mapping rule processing
with live or generated traffic.

<li class="item"> <span class="high bold">Authorization &ndash; </span>
When authorization is deployed this category shows the rules examined to
determine if a path is controlled, any authentication events in assessing
username and password, and the consequent group, user and request capabilities
(read and/or write) for that path.  No password information is displayed.

<li class="item"> <span class="high bold">Error &ndash; </span>
The essential elements of a request error report are displayed. This may
include a VMS status value and associated system message.

<li class="item"> <span class="high bold">CGI &ndash; </span>
This category displays the generated CGI variable names and values as used by
various forms of scripting and by SSI documents, as well as the processing of
the response header returned by scripts.

<li class="item"> <span class="high bold">DCL &ndash; </span>
Debugging scripts can sometimes present particular difficulties. This category
may help. It reports on all input/output streams with the process
(SYS&dollar;INPUT, SYS&dollar;OUTPUT, SYS&dollar;COMMAND, CGIPLUSIN).

<li class="item"> <span class="high bold">DECnet &ndash; </span>
For the same reason as above this category reports all DECnet scripting
input/output of the DECnet link. In particular, it allows the observation of
the OSU scripting protocol.

<li class="item"> <span class="high bold">WebDAV &ndash; </span>
Provides WebDAV specific processing points including request and meta-data XML
associated with resources.

</ul>

<a id="10.2.0.0.4" href="#"></a>
<a id="10.2.network" href="#"></a>
<a id="network" href="#"></a>
<h5 class="head"><span class="text">Network</span></h5>

<ul class="list">

<li class="item"> <span class="high bold">Activity &ndash; </span>
For each raw network read and write the VMS status code and size of the I/O is
recorded.

<li class="item"> <span class="high bold">Data &ndash; </span>
For each raw network read or write the contents are provided as a hexadecimal
dump on the left and with printable characters rendered on the right, 32 bytes
per line.

<li class="item"> <span class="high bold">HTTP/2 &ndash; </span>
Provides a detailed overview of the underlying HTTP/2 framing and connection
management exchanges between client and server.  See <a class="link" href="#5.1.http2andwatch">&lsquo;HTTP/2 and WATCH&rsquo; in 5.1 WASD HTTP/2</a>
for further detail.

</ul>

<a id="10.2.0.0.5" href="#"></a>
<a id="10.2.other" href="#"></a>
<a id="other" href="#"></a>
<h5 class="head"><span class="text">Other</span></h5>

<ul class="list">

<li class="item"> <span class="high bold">Logging &ndash; </span>
Access logging events include log open, close and flush, as well as request
entries.

<li class="item"> <span class="high bold">Match &ndash; </span>
Shows a significant level of detail during string matching activities.  May be
useful during mapping, authorization and conditional processing.

<li class="item"> <span class="high bold">Script &ndash; </span>
Sets CGI variable WATCH_SCRIPT allowing a script to explicitly detect this so
as to output specific debugging or other information when being WATCHed.

<li class="item"> <span class="high bold">SSL &ndash; </span>
If the Secure Sockets Layer image is in use this category provides a indication
of high-level activity.

<li class="item"> <span class="high bold">Internal &ndash; </span>
Includes information on other significant internal server processing.  Examples
are dictionary entries at various stages of request processing, and the
high-level timing and timeout events occuring within that processing and the
server in general.

</ul>

<a id="10.2.0.0.6" href="#"></a>
<a id="10.2.proxy" href="#"></a>
<a id="proxy" href="#"></a>
<h5 class="head"><span class="text">Proxy</span></h5>

<ul class="list">

<li class="item"> <span class="high bold">Processing &ndash; </span>
Each major step during the serving of a proxied request.

<li class="item"> <span class="high bold">Request Header &ndash; </span>
The proxy server rebuilds the request originally received from the client. 
This category shows that rebuilt request, the one that is sent to the remote
server.

<li class="item"> <span class="high bold">Request Body &ndash; </span>
In the case of HTTP POST or PUT methods any request body is displayed.
This is provided as a hexadecimal dump on the left and with printable
characters rendered on the right, 32 bytes per line.

<li class="item"> <span class="high bold">Response Header &ndash; </span>
The blank-line terminated HTTP header to the response from the remote, proxied
server.

<li class="item"> <span class="high bold">Response Body &ndash; </span>
The content of the response sent from the remote server. This is provided as a
hexadecimal dump on the left and with printable characters rendered on the
right, 32 bytes per line.

<li class="item"> <span class="high bold">Rework &ndash; </span>
When reworking (see <a class="link" href="#7.6.2.proxyrework">7.6.2 Proxy Rework</a>) the string matching and substitution
is displayed.

</ul>

<a id="10.2.0.0.7" href="#"></a>
<a id="10.2.codemodules" href="#"></a>
<a id="codemodules" href="#"></a>
<h5 class="head"><span class="text">Code Modules</span></h5>

<p> If the server has been compiled using the WATCH_MOD=1 macro a set of
module WATCHing statements is included.  These provide far more detailed
processing information than available with the generic WATCH, are intended
primarily for debugging the server during development and testing.  This is
considered a specialized tool, with the quantity and level of detail produced
most likely proving counter-productive in addressing general site configuration
issues.  The module items are shown below the usual WATCH items.

<a id="10.3" href="#"></a>
<a id="10.3.requestfiltering" href="#"></a>
<a id="requestfiltering" href="#"></a>
<h2 class="head"><span class="numb">10.3</span><span class="text">Request Filtering</span></h2>
<p> By default all requests to all services are WATCHed. Fine control may be
exercised over exactly which requests are reported, allowing only a selected
portion of all requests being processed to be concentrated on, even on a live
and busy server. This is done by <span class="high italic">filtering</span> requests according the following
criteria.

<ul class="list">

<li class="item"> <span class="high bold">Protocol &ndash; </span>
The HTTP protocol being used to transport the request.  Multiple protocols may
be selected and concurrently filtered against.

<li class="item"> <span class="high bold">Client &ndash; </span>
The originating host name or address. Unless server DNS host name resolution
is enabled this must be expressed in dotted-decimal notation.
The <span class="high nowrap"> &quot;  <input type="checkbox" id="checkbox1"
name="checkbox1"><label for="checkbox1">moi</label> &quot;</span>
checkbox filters on the WATCHing party's host address.

<li class="item"> <span class="high bold">Service &ndash; </span>
The service connected to. This includes the <span class="high italic">scheme</span> of the service (i.e.
&quot;http:&quot;, &quot;https:&quot;), the host name (real or virtual), and the port. The host
name is the <span class="high italic">official</span> name of the service as reported during server startup.
As the port number is a essential part of the service specification it must
always be explicitly supplied or wildcarded.

<li class="item"> <span class="high bold">Request &ndash; </span>
This filter operates on the entire HTTP request header.  All fields supplied
with the request are available to be filtered against.  As this is a large,
multi-line dataset filters can become quite complex and regular expression (see 
<a class="link blank" target="_blank" href="../config/#stringmatching">String Matching</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>)
matching may be useful (see examples below).

<li class="item"> <span class="high bold">URI &ndash; </span>
This is the string provided by the client and specifying the requested
resource.  It includes the resource path along with any query string.  It can
contain URL-encoded (sometimes referred to as percent-encoded) characters. 
Some characters have alternate encodings, such as the space, as + or %20.

<li class="item"> <span class="high bold">Realm &amp; User &ndash; </span>
This filters against request authentication information.  As authorization
occurs relatively late in request processing some data reported earlier by
WATCH will not be available.

<li class="item"> <span class="high bold">HTTP Status &ndash; </span>
This allows a class of response status (1 (informational), 2 (success), 3
(redirection), 4 (client error) and 5 (server error)) or a specific response
status (e.g. 200 (success), 404 (not found), 503 (service unavailable), etc.)
to be filtered into the WATCH report.  As this happens very late in request
processing the number of reported events are limited but may provide some
insight into particular processing problems.

</ul>

<p> In addition there are <span class="high bold"><span class="high italic">in</span> and <span class="high italic">out</span> selectors</span> against each of the
filters which include or exclude the particular request based on it matching
the filter.

<p> These filters are controlled using fully-specified, wildcarded strings or
using regular expression patterns (see 
<a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).
In common with all WASD processing, filter matching is case-insensitive.  Of
course, due to the point of application of a particular filter during request
processing, some information may or may not be displayed.  When a request is
into or out of the report because of a matching filter a FILTER informational
item is reported.

<a id="10.3.0.0.1" href="#"></a>
<a id="10.3.examples" href="#"></a>
<a id="examples" href="#"></a>
<h5 class="head"><span class="text">Examples</span></h5>

<ol class="list">

<li class="item"> This first example shows various strings and patterns that could be
applied to the client filter.
<div class="blockof code">alpha.example.com
*.example.com  
131.185.250.202
131.185.250.*
^10.68.250.*&verbar;10.68.251.*
</div>

<li class="item"> This example various filters applied to the service (virtual server).
<div class="blockof code">beta.example.com:8000
beta.example.com:*
http://*
https:*
*:80
</div>

<li class="item"> The request filter contains the entire HTTP request header.  This includes
multiple, newline-delimited fields.  Filtering can be simple or quite complex.
These examples filter all POST requests (either in or out of the report
depending on the respective selector), and all POSTs to the specified script
respectively.

<div class="blockof code">POST *
POST /cgi-bin/example*
</div>

<p> These are the equivalent regular expressions but also will stop comparing
at the end of the initial request line.  The second, in this case, will also
only filter against HTTP/1.1 version requests (note the final period matching
the &lt;CR&gt; of the &lt;CR&gt;&lt;LF&gt; carriage control).

<div class="blockof code">^^POST .*&dollar;
^^POST */cgi-bin/example *HTTP/1\.1.&dollar;
</div>

<p> This example uses a regular expression to constrain the match to a single
header field (line, or newline-delimited string), matching all requests where
the user agent reports using the &quot;Gecko&quot; browser component (Mozilla,
Firefox, etc.)

<div class="blockof code">^^User-agent:.*Gecko.*&dollar;
</div>

<li class="item"> The path and track filter.  The path contains a proxied origin server
request and so can be used to filter proxy requests to specific sites.
<div class="blockof code">/wasd_root/src/*
/cgi-bin/*
/web/*/cyrillic/*
&dollar;ORoKJAOef8sAAAkuACc
http://proxied.host.name/*
</div>

<li class="item"> The authentication filters, realm and user, can be used to select
requests for a particular authenticated user, all authenticated requests or all
non-authenticated requests, amongst other application.  The realm field allows
the authenticated user to be further narrowed as necessary.  All of the
following examples show only the user field with the default <span class="high italic">in</span> selector
set.

<p> Authenticated requests for user DANIEL. 

<div class="blockof code">DANIEL
</div>

<p> All authenticated requests. 
<div class="blockof code">%*
</div>

</ol>

<a id="10.4" href="#"></a>
<a id="10.4.reportformat" href="#"></a>
<a id="reportformat" href="#"></a>
<h2 class="head"><span class="numb">10.4</span><span class="text">Report Format</span></h2>

<p> The following example illustrates the format of the WATCH report. It begins
with multi-line heading. The first two record the date, time and official
server name, with underline. The third provides the WASD server version.  The
fourth provides some TCP/IP agent information.  Lines following can show
OpenSSL version (if deployed), system information, server startup command-line,
and then current server process quotas.  The last three lines of the header
provide a list of the categories being recorded, the filters in use, and the
last, column headings described as follows: 

<ul class="list simple list0">
<li class="item"> <span class="high bold">time</span> the event was recorded
<li class="item"> the <span class="high bold">module</span> name of the originating source code
<li class="item"> the <span class="high bold">line</span> in the code module 
<li class="item"> a unique <span class="high bold">item</span> number for each thread being WATCHed
<li class="item"> event <span class="high bold">category</span> name
<li class="item"> free-form, but generally interpretable <span class="high bold">event</span> data
</ul>

<a class="imglink" target="_blank" href="./watchreport.png"><img class="image" src="./watchreport.png"></a>

<p> Note that some items also include a block of data. The request header
category does this, providing the blank-line terminated text comprising the
HTTP header. Rule mapping also provides a block of information representing
each rule as it is interpreted. Generally WATCH-generated information can be
distinguished from other data by the uniform format and delimiting vertical
bars. Initiative and imagination is sometimes required to interpret the
free-form data but a basic understanding of HTTP serving and a little
consideration is generally all that is required to deduce the essentials of any
report.

<div class="blockof code">01-NOV-2021 23:24:40  WATCH REPORT  x86vms.lan:80
-------------------------------------------------
HTTPD_SSL 12.0.0 31-OCT-2021 07:38:27.62 DKA100:[WASD_ROOT.][X86_64]HTTPD_SSL.EXE (28-OCT-2021 02:51:54.41)
HP TCPIP&dollar;IPC_SHR X6.0-12 (31-AUG-2021 20:01:12.49)
OpenSSL 1.1.1k  25 Mar 2021 (Tue Mar 30 04:14:48 2021 UTC) [SYS0.SYSCOMMON.SSL111.INCLUDE]*.H
SYS&dollar;COMMON:[SYSLIB]SSL111&dollar;LIBSSL_SHR32.EXE
&dollar; CC (V8.4-2L1/70430528) /DECC /STAND=RELAXED_ANSI /PREFIX=ALL /NAMES=UPPER /OPTIMIZE /NODEBUG
/WARNING=(NOINFORM,DISABLE=(PREOPTW)) /FLOAT=IEEE /IEEE=DENORM
/DEFINE=(WASD_VMS_V7,SESOLA,WATCH_CAT=1,WATCH_MOD=0,WASD_ACME=1,WASD_GETSPI=1)
innotek GmbH VirtualBox with 2 CPUs and 3584MB running VMS V9.1-A (ODS-5 enabled, VMS NAML, VMS FIB, ODS-DIRECT enabled, ZLIB X00018292 (%RMS-E-FNF, file not found), REGEX enabled, lksb&dollar;b_valblk[64])
&dollar; HTTPD /PRIORITY=4 /SYSUAF=(ID,SSL,PROXY)/PERSONA=RELAXED/PROFILE
AST:1978/2000 BIO:1984/2000 BYT:4026752/4999424 DIO:977/1000 ENQ:462/500 FIL:293/300 PGFL:345472/512000 PRC:0/100 TQ:98/100
DCL Scripting: detached, as HTTP&dollar;NOBODY, PERSONA enabled
Process: WASD:80 OTHER DKA100:[wasd_root.][startup]startup_server.com;1 DKA100:[wasd_root.][log_server]X86VMS_20211101015323.LOG;1
Instances: X86VMS::WASD:80
Watching: connect, request, req-header, response, error (539) via HTTP/2
Filter: NONE
&verbar;Time_______&verbar;Module__&verbar;Line&verbar;Item__&verbar;Category__&verbar;Event...&verbar;
&verbar;23:24:52.89 HTTP2REQ 0308 023002 CONNECT    HTTP/2 begin 23 with gort.lan,53801&verbar;
&verbar;++++++++++++++++++++++++++++++++++++++++++++
&verbar;23:24:52.89 HTTP2REQ 0324 023002 REQ-HEADER HEADER 371 bytes&verbar;
GET /httpd/-/admin/ HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: br, gzip, deflate
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15
accept-language: en-au
authorization: *******************************
host: x86vms.gets-it.net

&verbar;23:24:52.89 REQUEST  3703 023002 REQ-HEADER DATA&verbar;
ENTRY 001 [012] &dollar; {12}request_line={28}GET /httpd/-/admin/ HTTP/1.1
ENTRY 002 [014] &gt; {6}accept={63}text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ENTRY 003 [018] &gt; {15}accept-encoding={17}br, gzip, deflate
ENTRY 004 .001. &gt; {10}user-agent={119}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15
ENTRY 005 [007] &gt; {15}accept-language={5}en-au
ENTRY 006 [031] &gt; {13}authorization={30}******************************
ENTRY 007 [024] &gt; {4}host={18}x86vms.gets-it.net
&verbar;23:24:52.89 SERVICE  1747 023002 CONNECT    VIRTUAL x86vms.gets-it.net:443&verbar;
&verbar;23:24:52.89 REQUEST  4413 023002 REQUEST    GET /httpd/-/admin/&verbar;
&verbar;23:24:52.89 ADMIN    0265 023002 RESPONSE   ADMIN /httpd/-/admin/&verbar;
&verbar;23:24:52.89 REQUEST  1435 023002 REQUEST    STATUS 200 (OK) rx:106 tx:19536 bytes 10.000ms 1,964,219 B/s&verbar;
&verbar;--------------------------------------------
&verbar;23:24:52.89 HTTP2REQ 1165 023002 CONNECT    HTTP/2 end 23 with gort.lan,53801&verbar;
&verbar;23:24:53.40 HTTP2REQ 0308 025002 CONNECT    HTTP/2 begin 25 with gort.lan,53801&verbar;
&verbar;++++++++++++++++++++++++++++++++++++++++++++
&verbar;23:24:53.40 HTTP2REQ 0324 025002 REQ-HEADER HEADER 310 bytes&verbar;
GET /rtt?ping HTTP/1.1
accept: */*
accept-encoding: br, gzip, deflate
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15
accept-language: en-au
referer: https://x86vms.gets-it.net/httpd/-/admin/
host: x86vms.gets-it.net

&verbar;23:24:53.40 REQUEST  3703 025002 REQ-HEADER DATA&verbar;
ENTRY 001 [012] &dollar; {12}request_line={22}GET /rtt?ping HTTP/1.1
ENTRY 002 [014] &gt; {6}accept={3}*/*
ENTRY 003 [018] &gt; {15}accept-encoding={17}br, gzip, deflate
ENTRY 004 .001. &gt; {10}user-agent={119}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15
ENTRY 005 [007] &gt; {15}accept-language={5}en-au
ENTRY 006 [013] &gt; {7}referer={41}https://x86vms.gets-it.net/httpd/-/admin/
ENTRY 007 [024] &gt; {4}host={18}x86vms.gets-it.net
&verbar;23:24:53.40 ADMIN    4414 025002 CONNECT    RTT PING!&verbar;
&verbar;23:24:53.40 REQUEST  1435 025002 REQUEST    STATUS 204 (No Content) rx:60 tx:369 bytes 0.0s 0 B/s&verbar;
&verbar;--------------------------------------------
&verbar;23:24:53.40 HTTP2REQ 1165 025002 CONNECT    HTTP/2 end 25 with gort.lan,53801&verbar;
</div>

<a id="10.5" href="#"></a>
<a id="10.5.usagesuggestions" href="#"></a>
<a id="usagesuggestions" href="#"></a>
<h2 class="head"><span class="numb">10.5</span><span class="text">Usage Suggestions</span></h2>

<p> The following provides a brief explanation on the way WATCH operates and
any usage implications.

<p> A single client may be connected to the WATCH facility at any given time.
When connecting the client is sent an HTTP response header and the WATCH report
heading lines.  The request then remains connected until the WATCH duration
expires or the client overtly aborts the connection.  During this period the
browser behaves as if receiving a sometimes very slow, sometimes stalled,
plain-text document.  As the server processes WATCHable events the text
generated is sent to the WATCH-connected client.

<p> If the connection is aborted by the user some browsers will consider
document retrieval to be incomplete and attempt to reconnect to the service if
an attempt is made to print or save the resulting document. As the printing of
WATCH information is often quite valuable during problem resolution this
behaviour can result in loss of information and generally be quite annoying.
Appropriate use of the duration selector when requesting a report can work
around this, as at expiry the <span class="high italic">server</span> disconnects, browsers generally
interpreting this as legitimate end-of-document (when no content-length has
been specified).

<p> During report processing some browsers may not immediately update the
on-screen information to reflect received data without some application
activity. If scroll-bars are present on the document window manipulating
either the horizonal or vertical slider will often accomplish this. Failing
that minimizing then restoring the application will usually result in the most
recent information being visible.

<p> Browser <span class="high italic">reload/refresh</span> may be used to restart the report. A browser will
quite commonly attempt to remain at the current position in the document, which
with a WATCH report's sustained but largely indeterminate data stream may take
some time to reach. It is suggested the user ensure that any vertical
scroll-bar is at the beginning of the current report, then refresh the report.

<p> Selecting a large number of categories, those that generate copious output
for a single event (e.g. response body) or collecting for extended periods
can all result in the receipt of massive reports. Some browsers do not cope
well with documents megabytes in size.

<div class="note"><a id="10.5.0.0.0.1" href="#"></a>
<a id="10.5.note" href="#"></a>
<a id="note" href="#"></a>
<h5 class="head center"><span class="text">Note</span></h5>
<hr class="note_hr">

WATCH reports are written using non-blocking I/O into an internal buffer.  This
buffer is written when filled, or flushed at a one second interval.  Slight
latency may be experienced with sporadic WATCH report items.
<hr class="note_hr">
</div>

<p> <span class="high bold">When supplying WATCH output as part of a problem report</span>
please ZIP the file and include it an an e-mail attachment.  Mailers often
mangle the report format making it difficult to interpret.

<a id="10.6" href="#"></a>
<a id="10.6.commandlineuse" href="#"></a>
<a id="commandlineuse" href="#"></a>
<h2 class="head"><span class="numb">10.6</span><span class="text">Command-Line Use</span></h2>

<p> Although intended primarily as a tool for online use WATCH can be deployed
at server startup with a command-line qualifier and provide report output to
the server process log. This is slightly more cumbersome than the Web interface
but may still be useful in some circumstances. Full control over event
categories and filters is possible.

<ul class="list">

<li class="item"> <span class="high bold">/NOWATCH</span> Disables the use of the online WATCH facility.

<li class="item"> <span class="high bold">/WATCH=</span> Enables the server WATCH facility, dumping to
standard output (and the server process log if detached).  When in effect the
online facility is unavailable.  The string supplied to the qualifier may
comprise four comma-separated components.  Only the first is manadatory.
Stated order is essential.  It will probably be necessary to enclose the
complete string in quotation marks.

<ul class="list">

<li class="item"> <span class="high bold">LIST &ndash; </span>
The LIST keyword provides a list of all the categories (items) available for
WATCHing.

<li class="item"> <span class="high bold">NOSTARTUP &ndash; </span>
This keyword suppresses WATCH output until the server is ready to process
requests.  It must be the leading keyword.

<li class="item"> <span class="high bold"> <span class="high italic">items</span> &ndash; </span>
A parenthesized, comma-separated list of category keywords.  Available keywords
can be displayed using the LIST facility.

<li class="item"> <span class="high bold"> <span class="high italic">filters</span> &ndash; </span>
A client, service and path filters can be provided following the specification
of required items.  They must be provided in the order listed above.  Leading
filters that are not required must be provided as single, asterisk wildcards. 
WATCH parameter with filters containing forward-slashes will require quoting.

</ul>

</ul>

<p> The following examples illustrate the command-line WATCH specification.

<div class="blockof code">/NOWATCH
/WATCH=NOSTARTUP,ITEMS=(REQUEST,RESPONSE,MAPPING)
/WATCH=&quot;ITEMS=(REQUEST,RESPONSE,ERROR),*,*,/cgi-bin/*&quot;
/WATCH=LIST
</div>

<!-- source:1100_PERFORMANCE.WASDOC -->
<hr class="page">
<a id="11." href="#"></a>
<a id="11.serverperformance" href="#"></a>
<a id="serverperformance" href="#"></a>
<h1 class="head"><span class="numb">11.</span><span class="text">Server Performance</span></h1>

<table class="TOC2table">
<tr><td><a href="#11.1.simplefilerequestturnaround"><span class="numb">11.1</span><span class="text">Simple File Request Turn-Around</span></a>
<tr><td><a href="#11.2.scripting"><span class="numb">11.2</span><span class="text">Scripting</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#10.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#12.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<div class="note center">
<a id="11.0.0.0.1" href="#"></a>
<a id="11.thesearev115results" href="#"></a>
<a id="thesearev115results" href="#"></a>
<h5 class="head center"><span class="text">These Are v11.5 Results</span></h5>
<hr class="note_hr">
It is planned to evaluate x86-64 v12 performance once OpenVMS V9.2-1 and native
compilers become available some time later in CY2022.
<hr class="note_hr">
</div>

<p> The server has a single-process, multi-threaded, asynchronous I/O design. On
a single-processor system this is the most efficient approach.  On a
multi-processor system it is limited by the single process context (with
scripts executing within their own context).  For I/O constrained processing
(the most common in general Web environments) the AST-driven approach is quite
efficient.

<p> The test-bench system was an <span class="high bold">DEC PWS 500 with 1 CPU and 1.5GB memory</span>,
running <span class="high bold">VSI OpenVMS V8.4-2L1 and VSI TCP/IP TCPIP V5.7-13ECO5F</span>.

<div class="note">
<a id="11.0.0.0.2" href="#"></a>
<a id="11.sureanoldclunker" href="#"></a>
<a id="sureanoldclunker" href="#"></a>
<h5 class="head center"><span class="text">Sure, an old clunker</span></h5>
<hr class="note_hr">
WASD largely has been developed on this system for 15+ years.

<p> While by today's standards it is a very resource constrained system,
especially by the EV56 (21164A) CPU, it has pretty-much done everything asked
of it for all that time.  Importantly, it has recent releases of system
software, courtesy of VSI's ISV support programme.  For performance purposes,
this allows comparison with recent releases of CSWS (VMS Apache).

<p> The requirements for a test-bench system effectively excludes production
systems, especially external ones, hence working with what is at hand. 

<hr class="note_hr">
</div>

<p> This performance data (WASD v11.5) has been collected very differently to
the next most recent from over a decade ago (WASD v10.0).  Apart from the move
from an HP rx2600 to the vintage PWS 500, the previous benchmarking tools were
WASD-in-house, ApacheBench (AB) and WASDbench (WB), executing on the same
system as the server, eliminating network traffic <span class="high italic">on-the-wire</span>.  The current
absolute benchmarks cannot meaningfully be compared to previous data.  The
relativities seem to be comparable.

<a id="11.0.0.0.3" href="#"></a>
<a id="11.benchmarksetup" href="#"></a>
<a id="benchmarksetup" href="#"></a>
<h5 class="head"><span class="text">Benchmark Setup</span></h5>

<p> These data have been collected using the <span class="high italic">h2load</span> utility
(<a class="link blank" target="_blank" href="https://nghttp2.org/documentation/h2load.1.html">https://nghttp2.org/documentation/h2load.1.html</a>) from the HTTP/2
C Library (<a class="link blank" target="_blank" href="https://nghttp2.org">https://nghttp2.org</a>).  This utility can be used to
configurably load <span class="high bold">HTTP, HTTPS and HTTP/2</span> servers.  Note that the number of
client threads (<span class="high monosp">-t</span>) is explicitly set to the connection concurrency
(<span class="high monosp">-c</span>) to maximise <span class="high italic">h2load</span> processing.

<p> The <span class="high italic">h2load</span> utility is running on a an 8CPU 32GB Mac Pro, across a 500
Mbps LAN to the 100 Mbps interface of the PWS.  The obvious resource
constraints are the single PWS CPU and network interface.  Every effort has
been made to ensure these do not unreasonably constrain the comparison.

<p> Clear text HTTP (port 80) data is collected to measure internal server
processing without the CPU-intensive overhead of encryption.  Encrypted HTTP
(port 443) data provides more real-world scenarios (especially now clear-text
is largely deprecated).  Both WASD and Apache were using OpenSSL 1.1.1 and
negotiated TLS v1.2. 

<p> Output from <span class="high italic">h2load</span> benchmarking runs are included in the
<a class="link blank" target="_blank" href="/wasd_root/exercise/*v115*.txt">WASD_ROOT:[EXERCISE]*V115*.TXT</a> directory
and is summarised below.

<a id="11.0.0.0.4" href="#"></a>
<a id="11.theseresultsareindicativeonly" href="#"></a>
<a id="theseresultsareindicativeonly" href="#"></a>
<h5 class="head"><span class="text">These results are indicative only!</span></h5>

<p> Every endeavour has been made to ensure the comparison is as equitable as
possible.  Both servers execute at the same process priority, access logging
and host name lookup disabled, and runs on the same machine in the same
relatively quiescent environment.  Each test run was interleaved between each
server to try and distribute any environment variations.  Those runs that are
very high throughput use a larger number of requests to improve sample period
validity.  Both servers were configured pretty-much &quot;out-of-the-box&quot;, minimal
changes (generally just enough to get the test environment going).  Multiple
data collections have yielded essentially equivalent relative results.

<p> For the test-bench WASD v11.5 is present on ports 80 and 443.

<a id="11.0.0.0.5" href="#"></a>
<a id="11.apachecomparison" href="#"></a>
<a id="apachecomparison" href="#"></a>
<h5 class="head"><span class="text">Apache Comparison</span></h5>

<p> The Apache comparison used the latest VSI AXPVMS CSWS V2.4-38C (based on
Apache v2.4.38) kit.  Apache is present on ports 7780 and 7443.

<a id="11.0.0.0.6" href="#"></a>
<a id="11.osucomparison" href="#"></a>
<a id="osucomparison" href="#"></a>
<h5 class="head"><span class="text">OSU Comparison</span></h5>

<p> Previous benchmarking included OSU data.  These are no longer collected.

<a id="11.1" href="#"></a>
<a id="11.1.simplefilerequestturnaround" href="#"></a>
<a id="simplefilerequestturnaround" href="#"></a>
<h2 class="head"><span class="numb">11.1</span><span class="text">Simple File Request Turn-Around</span></h2>

<p> A series of tests using batches of accesses. The first test returned an
empty file measuring response and file access time, without any actual
transfer. The second requested a file of 64k characters, testing performance
with a more realistic load.  All were done using one and ten concurrent
requests.

<div class="blockof block center">
<a id="11.1.0.0.1" href="#"></a>
<a id="11.1.http11clear" href="#"></a>
<a id="http11clear" href="#"></a>
<h5 class="head under"><span class="text">HTTP/1.1 clear</span></h5>
<a id="11.1.0.0.2" href="#"></a>
<a id="11.1.concurrency1" href="#"></a>
<a id="concurrency1" href="#"></a>
<h5 class="head"><span class="text">Concurrency 1</span></h5>
<table class="tabu tabauto">
<tr class="tabr">
<th class="tabh">
<th class="tabh" colspan="2">Requests/Second
<th class="tabh" colspan="2">Data Rate MBps
<tr class="tabr">
<th class="tabh">Response
<th class="tabh">WASD
<th class="tabh">Apache
<th class="tabh">WASD
<th class="tabh">Apache
<tr class="tabr">
<td class="tabd">0k
<td class="tabd">352
<td class="tabd">71
<td class="tabd">0.104
<td class="tabd">0.018
<tr class="tabr">
<td class="tabd">64k
<td class="tabd">61
<td class="tabd">36
<td class="tabd">3.740
<td class="tabd">2.230
</table>

<a id="11.1.0.0.3" href="#"></a>
<a id="11.1.concurrency10" href="#"></a>
<a id="concurrency10" href="#"></a>
<h5 class="head"><span class="text">Concurrency 10</span></h5>
<table class="tabu tabauto">
<tr class="tabr">
<th class="tabh">
<th class="tabh" colspan="2">Requests/Second
<th class="tabh" colspan="2">Data Rate MBps
<tr class="tabr">
<th class="tabh">Response
<th class="tabh">WASD
<th class="tabh">Apache
<th class="tabh">WASD
<th class="tabh">Apache
<tr class="tabr">
<td class="tabd">0k
<td class="tabd">1146
<td class="tabd">67
<td class="tabd">0.338
<td class="tabd">0.017
<tr class="tabr">
<td class="tabd">64k
<td class="tabd">124
<td class="tabd">48
<td class="tabd">7.590
<td class="tabd">2.940
</table>

<a id="11.1.0.0.4" href="#"></a>
<a id="11.1.http11encrypted" href="#"></a>
<a id="http11encrypted" href="#"></a>
<h5 class="head under"><span class="text">HTTP/1.1 encrypted</span></h5>
<a id="11.1.0.0.5" href="#"></a>
<a id="11.1.concurrency1" href="#"></a>
<a id="concurrency1" href="#"></a>
<h5 class="head"><span class="text">Concurrency 1</span></h5>
<table class="tabu tabauto">
<tr class="tabr">
<th class="tabh">
<th class="tabh" colspan="2">Requests/Second
<th class="tabh" colspan="2">Data Rate MBps
<tr class="tabr">
<th class="tabh">Response
<th class="tabh">WASD
<th class="tabh">Apache
<th class="tabh">WASD
<th class="tabh">Apache
<tr class="tabr">
<td class="tabd">0k
<td class="tabd">276
<td class="tabd">51
<td class="tabd">0.092
<td class="tabd">0.013
<tr class="tabr">
<td class="tabd">64k
<td class="tabd">21
<td class="tabd">25
<td class="tabd">1.300
<td class="tabd">1.550
</table>

<a id="11.1.0.0.6" href="#"></a>
<a id="11.1.concurrency10" href="#"></a>
<a id="concurrency10" href="#"></a>
<h5 class="head"><span class="text">Concurrency 10</span></h5>
<table class="tabu tabauto">
<tr class="tabr">
<th class="tabh">
<th class="tabh" colspan="2">Requests/Second
<th class="tabh" colspan="2">Data Rate MBps
<tr class="tabr">
<th class="tabh">Response
<th class="tabh">WASD
<th class="tabh">Apache
<th class="tabh">WASD
<th class="tabh">Apache
<tr class="tabr">
<td class="tabd">0k
<td class="tabd">175
<td class="tabd">46
<td class="tabd">0.580
<td class="tabd">0.112
<tr class="tabr">
<td class="tabd">64k
<td class="tabd">39
<td class="tabd">24
<td class="tabd">2.360
<td class="tabd">1.440
</table>

<a id="11.1.0.0.7" href="#"></a>
<a id="11.1.http2encrypted" href="#"></a>
<a id="http2encrypted" href="#"></a>
<h5 class="head under"><span class="text">HTTP/2 (encrypted)</span></h5>
<p> (VMS Apache currently does not support HTTP/2)
<a id="11.1.0.0.8" href="#"></a>
<a id="11.1.concurrency1" href="#"></a>
<a id="concurrency1" href="#"></a>
<h5 class="head"><span class="text">Concurrency 1</span></h5>
<table class="tabu tabauto">
<tr class="tabr">
<th class="tabh">
<th class="tabh" colspan="2">Requests/Second
<th class="tabh" colspan="2">Data Rate MBps
<tr class="tabr">
<th class="tabh">Response
<th class="tabh">WASD
<th class="tabh">Apache
<th class="tabh">WASD
<th class="tabh">Apache
<tr class="tabr">
<td class="tabd">0k
<td class="tabd">191
<td class="tabd">-
<td class="tabd">0.286
<td class="tabd">-
<tr class="tabr">
<td class="tabd">64k
<td class="tabd">20
<td class="tabd">-
<td class="tabd">1.210
<td class="tabd">-
</table>

<a id="11.1.0.0.9" href="#"></a>
<a id="11.1.concurrency10" href="#"></a>
<a id="concurrency10" href="#"></a>
<h5 class="head"><span class="text">Concurrency 10</span></h5>
<table class="tabu tabauto">
<tr class="tabr">
<th class="tabh">
<th class="tabh" colspan="2">Requests/Second
<th class="tabh" colspan="2">Data Rate MBps
<tr class="tabr">
<th class="tabh">Response
<th class="tabh">WASD
<th class="tabh">Apache
<th class="tabh">WASD
<th class="tabh">Apache
<tr class="tabr">
<td class="tabd">0k
<td class="tabd">156
<td class="tabd">-
<td class="tabd">0.240
<td class="tabd">-
<tr class="tabr">
<td class="tabd">64k
<td class="tabd">37
<td class="tabd">-
<td class="tabd">2.250
<td class="tabd">-
</table>

</div>

<p> Data file (non-relevant output snipped):

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="/wasd_root/exercise/perf_files_v115.txt">WASD_ROOT:[EXERCISE]PERF_FILES_V115.TXT</a>
</ul>

<a id="11.1.0.0.10" href="#"></a>
<a id="11.1.filetransferrate" href="#"></a>
<a id="filetransferrate" href="#"></a>
<h5 class="head"><span class="text">File Transfer Rate</span></h5>

<p> Requests for a large <span class="high italic">binary</span> file (3.92MB - 8039 blocks) indicate a
<span class="high bold">potential transfer rate of multiple Mbytes per second</span>.

<div class="blockof block center"><a id="11.1.0.0.11" href="#"></a>
<a id="11.1.dataratembytessecond" href="#"></a>
<a id="dataratembytessecond" href="#"></a>
<h5 class="head"><span class="text">Data Rate - MBytes/Second</span></h5>
<p> (VMS Apache currently does not support HTTP/2)

<table class="tabu tabauto">
<tr class="tabr">
<td class="tabd">
<th class="tabh">Concurrent
<th class="tabh">WASD
<th class="tabh">Apache
<tr class="tabr">
<th class="tabh" colspan="1" rowspan="2">HTTP/1.1<br>(clear)
<td class="tabd">1
<td class="tabd">6.07
<td class="tabd">4.40
<tr class="tabr">
<td class="tabd">10
<td class="tabd">8.85
<td class="tabd">8.70
<tr class="tabr">
<th class="tabh" colspan="1" rowspan="2">HTTP/1.1<br>(encrypted)
<td class="tabd">1
<td class="tabd">2.91
<td class="tabd">3.23
<tr class="tabr">
<td class="tabd">10
<td class="tabd">2.77
<td class="tabd">2.92
<tr class="tabr">
<th class="tabh" colspan="1" rowspan="2">HTTP/2<br>(encrypted)
<td class="tabd">1
<td class="tabd">2.77
<td class="tabd">-
<tr class="tabr">
<td class="tabd">10
<td class="tabd">2.80
<td class="tabd">-
</table>
</div>

<p> Data file (non-relevant output snipped):

<ul class="list simple">
<li class="item"> <a class="link blank" target="_blank" href="/wasd_root/exercise/perf_xfer_v115.txt">WASD_ROOT:[EXERCISE]PERF_XFER_V115.TXT</a>
</ul>

<a id="11.1.0.0.12" href="#"></a>
<a id="11.1.filerecordformat" href="#"></a>
<a id="filerecordformat" href="#"></a>
<h5 class="head"><span class="text">File Record Format</span></h5>

<p> The WASD server can handle STREAM, STREAM_LF, STREAM_CR, FIXED and UNDEFINED
record formats very much more efficiently than VARIABLE or VFC files. With
STREAM, FIXED and UNDEFINED files the assumption is that HTTP carriage-control
is within the file itself (i.e. at least the newline (LF), all that is required
required by browsers), and does not require additional processing.  With
VARIABLE record files the carriage-control is implied and therefore each record
requires additional processing by the server to supply it.  Even with variable
record files having multiple records buffered by the HTTPd before writing them
collectively to the network improving efficiency, stream and binary file reads
are by Virtual Block and are written to the network immediately making the
transfer of these very efficient indeed!

<a id="11.2" href="#"></a>
<a id="11.2.scripting" href="#"></a>
<a id="scripting" href="#"></a>
<h2 class="head"><span class="numb">11.2</span><span class="text">Scripting</span></h2>

<p> A simple performance evaluation shows the relative merits of WASD scripting
and Apache in CGI and persistent environments, using
<a class="link blank" target="_blank" href="/wasd_root/src/cgiplus/cgiplustest.c">WASD_ROOT:[SRC.CGIPLUS]CGIPLUSTEST.C</a>
which executes in standard CGI, CGIplus and Apache loadable module
environments.  CGIplus and Apache modules are somewhat analagous.  A series of
accesses were made.  The first test returned only the HTTP header, evaluating
raw request turn-around time. The second test requested a body of 64k
characters, again testing performance with a more realistic load.

<div class="blockof block center">
<a id="11.2.0.0.1" href="#"></a>
<a id="11.2.concurrency1requestssecond" href="#"></a>
<a id="concurrency1requestssecond" href="#"></a>
<h5 class="head"><span class="text">Concurrency 1 - Requests/Second</span></h5>
<table class="tabu tabauto">
<tr class="tabr">
<th class="tabh">Response
<th class="tabh">WASD CGI
<th class="tabh">WASD CGIplus
<th class="tabh">Apache CGI
<th class="tabh">Apache module
<tr class="tabr">
<td class="tabd">0kB
<td class="tabd">27
<td class="tabd">193
<td class="tabd">5
<td class="tabd">52
<tr class="tabr">
<td class="tabd">64kB
<td class="tabd">14
<td class="tabd">25
<td class="tabd">5
<td class="tabd">31
</table>

<a id="11.2.0.0.2" href="#"></a>
<a id="11.2.concurrency10requestssecond" href="#"></a>
<a id="concurrency10requestssecond" href="#"></a>
<h5 class="head"><span class="text">Concurrency 10 - Requests/Second</span></h5>
<table class="tabu tabauto">
<tr class="tabr">
<th class="tabh">Response
<th class="tabh">WASD CGI
<th class="tabh">WASD CGIplus
<th class="tabh">Apache CGI
<th class="tabh">Apache module
<tr class="tabr">
<td class="tabd">0kB
<td class="tabd">28
<td class="tabd">337
<td class="tabd">4
<td class="tabd">51
<tr class="tabr">
<td class="tabd">64kB
<td class="tabd">16
<td class="tabd">65
<td class="tabd">4
<td class="tabd">37
</table>

</div>

<p> Data file (non-relevant output snipped):

<ul class="list simple list0">
<li class="item"> <a class="link blank" target="_blank" href="/wasd_root/exercise/perf_scripts_v115.txt">WASD_ROOT:[EXERCISE]PERF_SCRIPTS_V115.TXT</a>
</ul>

<a id="11.2.0.0.3" href="#"></a>
<a id="11.2.persistentscripting" href="#"></a>
<a id="persistentscripting" href="#"></a>
<h5 class="head"><span class="text">Persistent Scripting</span></h5>

<p> CGI scripting is notoriously slow (as above), hence the effort
expended by designers in creating persistent scripting environments - those
where the scripting engine (and perhaps other state) is maintained between
requests.  Both WASD and Apache implement these as integrated features,
the former as <span class="high bold">CGIplus/RTE</span>, and in the latter as <span class="high bold">loadable modules</span>.  

<p> The <span class="high italic">CGIplus</span> and <span class="high italic">Apache module</span> data from the above CGIPLUSTEST.EXE
table show the benefits of having scripts persist, reducing activation latency,
thereby increasing throughput, and potentially retaining state, including the
scripts themselves in local caches.   Both WASD and VMS Apache use their
respective <span class="high bold">persistence technologies</span> to provide common scripting
environments, including <span class="high bold">Perl</span>, <span class="high bold">PHP</span> and <span class="high bold">Python</span>.

<p> The WASD CGIplus/RTE technology used to implement its persistent scripting
environments are available for general use and based on CGI principles offer a
ready adaptation of well-known principles.  Most site-specific scripts can also
be built using the libraries, code fragments, and example scripts provided
with the WASD package,  and obtain similar efficiencies and low latencies.
See <a class="link blank" target="_blank" href="../../scripting/scripting.html">WASD Scripting Environment</a> document.
<!-- source:1200_UPDATE.WASDOC -->
<hr class="page">
<a id="12." href="#"></a>
<a id="12.httpdwebupdate" href="#"></a>
<a id="httpdwebupdate" href="#"></a>
<h1 class="head"><span class="numb">12.</span><span class="text">HTTPd Web Update</span></h1>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#11.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#13.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> The <span class="high bold">Upd</span>ate facility allows Web documents and file
environments to be administered from a standard browser.  This capability is
available to Web administrator and user alike.  Availability and capability
depends on the authorization environment within the server.

<p> It <span class="high bold">should be stressed</span> that this is not designed as a full
hypertext administration or authoring tool, and for document preparation
relies on the editing capabilities of the &lt;TEXTAREA&gt; widget of the
user's browser. It does however, allow <span class="high bold">ad-hoc changes</span> to be
made to documents fairly easily, as well as allowing documents to be deleted,
and directories to be created and deleted.

<p> Consult the 
<a class="link blank" target="_blank" href="https://wasd.kicks-ass.net/httpd/-/updhelp.html">Current UPDate documentation</a> for usage detail.

<p> Here is <a class="link blank" target="_blank" href="/upd/wasd_root/">an example of the interface</a> (access may be
denied).

<a class="imglink" target="_blank" href="./update.png"><img class="image" src="./update.png"></a>

<a class="imglink" target="_blank" href="./edit.png"><img class="image" src="./edit.png"></a>

<a id="12.0.0.0.1" href="#"></a>
<a id="12.updateaccesspermission" href="#"></a>
<a id="updateaccesspermission" href="#"></a>
<h5 class="head"><span class="text">Update Access Permission</span></h5>

<p> If SSL is in use (see <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) then
username/password privacy of the authorization environment is inherently
secured via the encrypted communications. To restrict web update functionality
to this secure environment add the following to the WASD_CONFIG_MAP
configuration file:

<div class="blockof code">/upd/*  &quot;403 Access denied.&quot;  ![sc:https]
</div>

<p> Of course, the user must have write (POST/PUT) access to the document or
area on the server (i.e. the <span class="high italic">path</span>) and the server account have file
system permission to write into the <span class="high under">parent directory</span>.

<p> The server will report &quot;Insufficient privilege or object protection
violation ... /path/document&quot; if it does not have file system permission to
write into a directory.

<p> Also see <a class="link" href="#3.13.controllingserverwriteaccess">3.13 Controlling Server Write Access</a> for information on write
access control for the server account.
<!-- source:1300_UTILITIES.WASDOC -->
<hr class="page">
<a id="13." href="#"></a>
<a id="13.utilitiesandfacilities" href="#"></a>
<a id="utilitiesandfacilities" href="#"></a>
<h1 class="head"><span class="numb">13.</span><span class="text">Utilities and Facilities</span></h1>

<div class="TOC2cols2">
<table class="TOC2table">
<tr><td><a href="#13.1.echofacility"><span class="numb">13.1</span><span class="text">Echo Facility</span></a>
<tr><td><a href="#13.2.hissfacility"><span class="numb">13.2</span><span class="text">Hiss Facility</span></a>
<tr><td><a href="#13.3.streamfacility"><span class="numb">13.3</span><span class="text">Stream Facility</span></a>
<tr><td><a href="#13.4.wherefacility"><span class="numb">13.4</span><span class="text">Where Facility</span></a>
<tr><td><a href="#13.5.xrayfacility"><span class="numb">13.5</span><span class="text">Xray Facility</span></a>
<tr><td><a href="#13.6.calogs"><span class="numb">13.6</span><span class="text">CALogs</span></a>
<tr><td><a href="#13.7.cspreporter"><span class="numb">13.7</span><span class="text">CSPreport[er]</span></a>
<tr><td><a href="#13.8.htadmin"><span class="numb">13.8</span><span class="text">HTAdmin</span></a>
<tr><td><a href="#13.9.httpdmonitor"><span class="numb">13.9</span><span class="text">HTTPd Monitor</span></a>
<tr><td><a href="#13.10.md5digest"><span class="numb">13.10</span><span class="text">MD5digest</span></a>
<tr><td><a href="#13.11.qdlogstats"><span class="numb">13.11</span><span class="text">QDLogStats</span></a>
<tr><td><a href="#13.12.sechanutility"><span class="numb">13.12</span><span class="text">SECHAN Utility</span></a>
<tr><td><a href="#13.13.streamlfutility"><span class="numb">13.13</span><span class="text">StreamLF Utility</span></a>
<tr><td><a href="#13.14.wasteeutility"><span class="numb">13.14</span><span class="text">WAStee Utility</span></a>
<tr><td><a href="#13.15.wotsuputility"><span class="numb">13.15</span><span class="text">WOTSUP Utility</span></a>
</table>
</div>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#12.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#14.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<p> Foreign commands for external utilities (and the HTTPD control
functionality) will need to be assigned from the adminstration users' LOGIN.COM
either explicitly or by calling the
<a class="link blank" target="_blank" href="/wasd_root/example/wasdverbs.com">WASD_ROOT:[EXAMPLE]WASDVERBS.COM</a>
procedure.

<div class="blockof code">&dollar; AB == &quot;&dollar;WASD_EXE:AB&quot;
&dollar; HTTPD == &quot;&dollar;WASD_EXE:HTTPD&quot;
&dollar; HTTPDMON == &quot;&dollar;WASD_EXE:HTTPDMON&quot;
&dollar; MD5DIGEST == &quot;&dollar;WASD_EXE:MD5DIGEST&quot;
&dollar; QDLOGSTATS == &quot;&dollar;WASD_EXE:QDLOGSTATS&quot;
&dollar; SECHAN == &quot;&dollar;WASD_EXE:SECHAN&quot;
&dollar; STREAMLF == &quot;@WASD_EXE:STREAMLF&quot;
&dollar; WB == &quot;&dollar;WASD_EXE:WB&quot;
</div>

<a id="13.1" href="#"></a>
<a id="13.1.echofacility" href="#"></a>
<a id="echofacility" href="#"></a>
<h2 class="head"><span class="numb">13.1</span><span class="text">Echo Facility</span></h2>


<p> Ever had to go to extraordinary lengths to find out exactly what your
browser is sending to the server? The server provides a request echo facility.
This merely returns the complete request as a plain-text document. This can be
used for for checking the request header lines being provided by the browser,
and can be valuable in the diagnosis of POSTed forms, etc.

<p> This facility must be enabled through a mapping rule entry.

<div class="blockof code">script /echo/* /echo/*
</div>

<p> It may then be used with any request merely by inserting &quot;/echo&quot; at
the start of the path, as in the following example.

<div class="blockof code">http://www.example.com/echo/wasd_root/
</div>

<a id="13.2" href="#"></a>
<a id="13.2.hissfacility" href="#"></a>
<a id="hissfacility" href="#"></a>
<h2 class="head"><span class="numb">13.2</span><span class="text">Hiss Facility</span></h2>

<p> The <span class="high italic">hiss</span> facility provides a response stream made up of random
alpha-numeric characters (a sort of alpha-numeric white-noise).  No response
header is generated and the stream will continue (by default) up to one
megabyte of output, or until the client closes the connection. This maximum may
be controlled my appending an integer representing the number of kilobytes
maximum to the mapping. This facility must be enabled through a mapping rule
entry and may then be used for specific requests. 

<div class="blockof code">map /**.dll* /hiss/64/*.dll*
map /**/system32/* /hiss/64/*/system32/*
map /**default.ida* /hiss/64/*default.ida*
script /hiss/* /hiss/*
</div>

<p> Usage details are described in
<a class="link blank" target="_blank" href="../config/#securityconsiderations">Security Considerations</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<a id="13.3" href="#"></a>
<a id="13.3.streamfacility" href="#"></a>
<a id="streamfacility" href="#"></a>
<h2 class="head"><span class="numb">13.3</span><span class="text">Stream Facility</span></h2>

<p> The <span class="high italic">stream</span> facility provides a quantified or unlimited response
stream of printable or binary octets.  It is intended as a light-weight data
source delivering content at the maximum throughput capable by the server and
platform.  This can be used as a test source or for end-to-end metrics. This
facility must be enabled through a mapping rule.

<div class="blockof code">script /stream/* /stream/*
</div>

<p> It may then be used to generate streams of data with various
characteristics and sizes by including parameters in the URL.

<ul class="list">

<li class="item"> Without parameters it produces a text/plain response header with unlimited
stream of random 8 bit printable and newline characters.  The stream ceases at
client disconnection.

<div class="blockof code">http://www.example.com/stream/
</div>

<li class="item"> With an integer parameter the stream ceases when the response has
delivered that many kilobytes (1024) of characters.

<div class="blockof code">http://www.example.com/stream/50/
</div>

<li class="item"> A 100 kilobyte stream of repeated 80 column, newline terminated characters
in the range &quot;+&quot; (0x2b) to &quot;z&quot; (ox7a).  Intended to provide an
entirely predictable sequence for testing purposes.

<div class="blockof code">http://www.example.com/stream/text:100/
</div>

<li class="item"> The following produces an application/binary response header with
unlimited stream of random octets.

<div class="blockof code">http://www.example.com/stream/binary/
</div>

<li class="item"> One megabyte of random octets.

<div class="blockof code">http://www.example.com/stream/binary:1024/
</div>

<li class="item"> An unlimited stream of octets cycling from 0x00 to 0xff.   Intended to
provide an entirely predictable sequence for testing purposes.

<div class="blockof code">http://www.example.com/stream/octets/
</div>

</ul>

<a id="13.4" href="#"></a>
<a id="13.4.wherefacility" href="#"></a>
<a id="wherefacility" href="#"></a>
<h2 class="head"><span class="numb">13.4</span><span class="text">Where Facility</span></h2>

<p> Need to locate where VMS has the HTTPd files?  This simple facility maps
the supplied path then parses it to obtain a resulting VMS file specification.
<span class="high bold">This does not demonstrate whether the path actually exists!</span>

<p> This facility must be enabled through a mapping rule entry.

<div class="blockof code">script /where/* /where/*
</div>

<p> It may then be used with any request merely by inserting &quot;/where&quot; at
the start of the path, as in the following example.

<div class="blockof code">http://www.example.com/where/wasd_root/
</div>

<a id="13.5" href="#"></a>
<a id="13.5.xrayfacility" href="#"></a>
<a id="xrayfacility" href="#"></a>
<h2 class="head"><span class="numb">13.5</span><span class="text">Xray Facility</span></h2>


<p> The Xray facility returns a request's complete response, <span class="high bold">both
header and body</span>, as a plain text document.  Being able to <span class="high italic">see</span>
the internals of the response header as well as the contents of the body
rendered in plain text can often be valuable when developing scripts, etc.

<p> This facility must be enabled through a mapping rule entry.

<div class="blockof code">script /Xray/* /Xray/*
</div>

<p> It may then be used with any request merely by inserting &quot;/xray&quot; at
the start of the path, as in the following example.

<div class="blockof code">http://www.example.com/xray/wasd_root/
</div>

<a id="13.6" href="#"></a>
<a id="13.6.calogs" href="#"></a>
<a id="calogs" href="#"></a>
<h2 class="head"><span class="numb">13.6</span><span class="text">CALogs</span></h2>

<p> The Consolidate Access LOGS utility (pronounced similar to the breakfast
cereal brand :-) merges multiple HTTP server common and combined format access
logs into a single log file with records in time-order.  Due to the granularity
of HTTP server entry timestamps (one second) the records are sorted to the one
second but not within the one second.

<p> It uses RMS and the VMS sort-merge routines to provide the basic
consolidation functionality.  An RMS search uses the supplied wildcard log file
specification.  Matching files are opened and each record read.  The date/time
field is parsed and a binary timestamp generated.  Records with formats or
date/time fields that do not make sense to the utility are discarded.  When all
files have been   processed the sort-merge is  performed using the timestamp as
the key.  The sorted records are then written to the specified output file.

<p> <span class="high bold">&dollar; calogs &lt;log-file-spec&gt; [&lt;output-file-name&gt;] [&lt;qualifiers&gt;]</span>

<p> 
<a id="13.6.0.0.1" href="#"></a>
<a id="13.6.parametersandqualifiers" href="#"></a>
<a id="parametersandqualifiers" href="#"></a>
<h5 class="head"><span class="text">Parameters and Qualifiers</span></h5>
<table class="tabl">
<tr class="tabr under">
<th class="tabh">Parameter
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">/HELP
<td class="tabd">basic usage information
<tr class="tabr">
<td class="tabd">/NOPROXY
<td class="tabd">discard proxy service records
<tr class="tabr backlight">
<td class="tabd">/NOWASD
<td class="tabd">discard WASD server status/timestamp entries
<tr class="tabr">
<td class="tabd">/OUTPUT=
<td class="tabd">alternate method of specifying merged file name
<tr class="tabr backlight">
<td class="tabd">/PROXY
<td class="tabd">discard non-proxy service records
<tr class="tabr">
<td class="tabd">/QUIET
<td class="tabd">no messages apart from errors
<tr class="tabr backlight">
<td class="tabd">/VERBOSE
<td class="tabd">per-file progress messages
<tr class="tabr">
<td class="tabd">/VERSION
<td class="tabd">display the utility version and copyright message
</table>

<a id="13.6.0.0.2" href="#"></a>
<a id="13.6.usageexamples" href="#"></a>
<a id="usageexamples" href="#"></a>
<h5 class="head"><span class="text">Usage Examples</span></h5>

<div class="blockof code">&dollar; CALOGS == &quot;&dollar;WASD_EXE:CALOGS&quot;
&dollar; CALOGS WASD_LOGS:*200205*.LOG 2002_MAY.LOG
&dollar; CALOGS /VERBOSE WASD_LOGS:
&dollar; CALOGS /NOWASD WASD_LOGS:*200206*.LOG_* /OUTPUT=2002_JUNE.LOG
&dollar; CALOGS /PROXY /NOWASD WASD_LOGS:*2002*.LOG 2002_PROXY.LOG
</div>

<a id="13.7" href="#"></a>
<a id="13.7.cspreporter" href="#"></a>
<a id="cspreporter" href="#"></a>
<h2 class="head"><span class="numb">13.7</span><span class="text">CSPreport[er]</span></h2>

<p> Content Security Policy (CSP) is an added layer of security that helps to
detect and mitigate certain types of attacks, including Cross Site Scripting
(XSS) and data injection attacks.

<p class="indent"> <a class="link blank" target="_blank" href="https://en.wikipedia.org/wiki/Content_Security_Policy">https://en.wikipedia.org/wiki/Content_Security_Policy</a>
<br> <a class="link blank" target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP</a>

<p> WASD provides CSP support using mapping rules.  See
<a class="link blank" target="_blank" href="../config/#contentsecuritypolicycsp">Content Security Policy (CSP)</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>.

<p> When POSTed to, this utility appends a timestamp and CSP report JSON to the
file specified by the CSPREPORT_FILE logical name.  This file must be located
somewhere the scripting account has read+write access to.  When accessed using
a GET the utility accesses the stored CSP reports and returns a formatted HTML
report listing each.  GET requests (reporting) must be subject to
authentication and authorisation.

<p> For further infomation check the descriptive prologue in the
<a class="link blank" target="_blank" href="/wasd_root/src/utils/cspreport.c">WASD_ROOT:[SRC.UTILS]CSPREPORT.C</a> source
code.

<a id="13.8" href="#"></a>
<a id="13.8.htadmin" href="#"></a>
<a id="htadmin" href="#"></a>
<h2 class="head"><span class="numb">13.8</span><span class="text">HTAdmin</span></h2>

<p> The HTAdmin utility assists in with the command-line maintenance of &dollar;HTA
authorization databases.  See 
<a class="link blank" target="_blank" href="../config/#authorizationconfigurationbasics">Authorization Configuration (Basics)</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>
and <a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a>.

<p> <span class="high bold"> htadmin &lt;database&gt; [&lt;username&gt;] [&lt;qualifiers&gt;]</span>

<a id="13.8.0.0.1" href="#"></a>
<a id="13.8.parametersandqualifiers" href="#"></a>
<a id="parametersandqualifiers" href="#"></a>
<h5 class="head"><span class="text">Parameters and Qualifiers</span></h5>

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Parameter
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">/ADD
<td class="tabd">add a new record
<tr class="tabr">
<td class="tabd">/CONFIRM
<td class="tabd">confirm deletion of database
<tr class="tabr backlight">
<td class="tabd">/CONTACT=&quot;&lt;string&gt;&quot;
<td class="tabd">contact information for record
<tr class="tabr">
<td class="tabd">/CREATE
<td class="tabd">create a new database
<tr class="tabr backlight">
<td class="tabd">/CSV[=TAB&verbar;char]
<td class="tabd">comma-separated listing (optional character)
<tr class="tabr">
<td class="tabd">/DATABASE=
<td class="tabd">database name (or as command-line parameter)
<tr class="tabr backlight">
<td class="tabd">/DELETE
<td class="tabd">delete a database or username record from a database
<tr class="tabr">
<td class="tabd">/DISABLED
<td class="tabd">username record is disabled (cannot be used)
<tr class="tabr backlight">
<td class="tabd">/EMAIL=&quot;&lt;string&gt;&quot;
<td class="tabd">email address for record
<tr class="tabr">
<td class="tabd">/ENABLED
<td class="tabd">username record is enabled (can be used)
<tr class="tabr backlight">
<td class="tabd">/FULL
<td class="tabd">listing showing full details
<tr class="tabr">
<td class="tabd">/GENERATE
<td class="tabd">generate a six character password
<tr class="tabr backlight">
<td class="tabd">/HELP
<td class="tabd">basic usage information
<tr class="tabr">
<td class="tabd">/[NO]HTTPS
<td class="tabd">synonym for /SSL
<tr class="tabr backlight">
<td class="tabd">/LIST
<td class="tabd">listing (brief by default, see /FULL and /CSV)
<tr class="tabr">
<td class="tabd">/MODIFY
<td class="tabd">synonym for /UPDATE
<tr class="tabr backlight">
<td class="tabd">/NAME=&quot;&lt;string&gt;&quot;
<td class="tabd">full name for username record
<tr class="tabr">
<td class="tabd">/OUTPUT=
<td class="tabd">alternate output for database listing
<tr class="tabr backlight">
<td class="tabd">/PASSWORD[=&lt;string&gt;]
<td class="tabd">username record password (prompts if not supplied)
<tr class="tabr">
<td class="tabd">/PIN
<td class="tabd">generate four-digit &quot;PIN number&quot; for password
<tr class="tabr backlight">
<td class="tabd">/[NO]READ
<td class="tabd">username can/can't read
<tr class="tabr">
<td class="tabd">/SORT[=&lt;parameters&gt;]
<td class="tabd">sort the records into a new/another database
<tr class="tabr backlight">
<td class="tabd">/[NO]SSL
<td class="tabd">user can only authenticate via SSL (&quot;https:&quot;)
<tr class="tabr">
<td class="tabd">/[NO]WRITE
<td class="tabd">username can/can't write
<tr class="tabr backlight">
<td class="tabd">/UPDATE
<td class="tabd">update an existing username record
<tr class="tabr">
<td class="tabd">/USER=&lt;string&gt;
<td class="tabd">username
<tr class="tabr backlight">
<td class="tabd">/VERSION
<td class="tabd">display version of HTADMIN
</table>

<a id="13.8.0.0.2" href="#"></a>
<a id="13.8.usageexamples" href="#"></a>
<a id="usageexamples" href="#"></a>
<h5 class="head"><span class="text">Usage Examples</span></h5>

<ul class="list">

<li class="item"> To create a new database named EXAMPLE.&dollar;HTA (in the current directory)

<div class="blockof code">&dollar; HTADMIN EXAMPLE /CREATE
</div>

<li class="item"> Delete an existing database

<div class="blockof code">&dollar; HTADMIN EXAMPLE /DELETE /CONFIRM
</div>

<li class="item"> List (briefly) the records

<div class="blockof code">&dollar; HTADMIN EXAMPLE
</div>

<li class="item"> List (briefly) the specific user record DANIEL

<div class="blockof code">&dollar; HTADMIN EXAMPLE DANIEL
</div>

<li class="item"> List all detail (132 colums) of the specified user record

<div class="blockof code">&dollar; HTADMIN EXAMPLE DANIEL /FULL
</div>

<li class="item"> To add the new record DANIEL with default read access

<div class="blockof code">&dollar; HTADMIN EXAMPLE DANIEL /ADD /NAME=&quot;Mark Daniel&quot; 
</div>

<li class="item"> Add the new record DANIEL with contact details and read+write access

<div class="blockof code">&dollar; HTADMIN EXAMPLE DANIEL /ADD /WRITE /CONTACT=&quot;Postal Address&quot;
</div>

<li class="item"> Add the new record DANIEL and be prompted for a password, or to specify the
password on the command-line, or have the utility generate a password or
four-digit PIN style password (which is displayed after the record is
sucessfully added)

<div class="blockof code">&dollar; HTADMIN EXAMPLE DANIEL /ADD /NAME=&quot;Mark Daniel&quot; /PASSWORD
&dollar; HTADMIN EXAMPLE DANIEL /ADD /NAME=&quot;Mark Daniel&quot; /PASSWORD=cher10s
&dollar; HTADMIN EXAMPLE DANIEL /ADD /NAME=&quot;Mark Daniel&quot; /GENERATE
&dollar; HTADMIN EXAMPLE DANIEL /ADD /NAME=&quot;Mark Daniel&quot; /PIN
</div>

<li class="item"> To update an existing record

<div class="blockof code">&dollar; HTADMIN EXAMPLE DANIEL /UPDATE /EMAIL=&quot;Mark.Daniel@wasd.vsm.com.au&quot;
</div>

<li class="item"> Update the specified record's password (interactively) then to generate a four
digit PIN for a password (which is then displayed)

<div class="blockof code">&dollar; HTADMIN EXAMPLE DANIEL /UPDATE /PASSWORD
&dollar; HTADMIN EXAMPLE DANIEL /UPDATE /GENERATE
&dollar; HTADMIN EXAMPLE DANIEL /UPDATE /PIN
</div>

<li class="item"> Disable then enable an existing user record without changing anything else

<div class="blockof code">&dollar; HTADMIN EXAMPLE DANIEL /UPDATE /DISABLE
&dollar; HTADMIN EXAMPLE DANIEL /UPDATE /ENABLE
</div>

<li class="item"> To list the entire database, first briefly, then in 132 column mode (with all
detail), then finally as a comma-separated listing

<div class="blockof code">&dollar; HTADMIN EXAMPLE
&dollar; HTADMIN EXAMPLE /FULL
&dollar; HTADMIN EXAMPLE /CSV
</div>

</ul>

<a id="13.8.0.0.3" href="#"></a>
<a id="13.8.sortdetails" href="#"></a>
<a id="sortdetails" href="#"></a>
<h5 class="head"><span class="text">Sort Details</span></h5>

<p> The /SORT qualifier sorts the current database records according to the
/SORT= parameters.  It can be used with the /LIST qualifier to produce ordered
reports or will output the records into another authentication file.  By
default it sorts ascending by username.  Qualifier parameters allow a sort by
DATE or COUNT.  Each of these allows the further specification of which date or
count; ACCESS, CHANGE or FAILURE.

<ul class="list">


<li class="item"> Generating a listing with specified order

<div class="blockof code">&dollar; HTADMIN EXAMPLE /LIST /SORT=DATE=ACCESS
&dollar; HTADMIN EXAMPLE /LIST /SORT=COUNT=FAILURE /OUTPUT=EXAMPLE.LIS
</div>

<li class="item"> Sort descending by username into a higher version of EXAMPLE.&dollar;HTA

<div class="blockof code">&dollar; HTADMIN EXAMPLE /SORT
</div>

<li class="item"> To sort by username into another .&dollar;HTA file

<div class="blockof code">&dollar; HTADMIN EXAMPLE /SORT /OUTPUT=ANOTHER
</div>

<li class="item"> List by most-recently accessed

<div class="blockof code">&dollar; HTADMIN EXAMPLE /LIST /SORT=DATE
</div>

<li class="item"> List by most-recently failed to authenticate

<div class="blockof code">&dollar; HTADMIN EXAMPLE /LIST /SORT=DATE=FAILURE
</div>

<li class="item"> Sort file into order by most frequently authenticated (accessed)

<div class="blockof code">&dollar; HTADMIN EXAMPLE /SORT=COUNT
</div>

</ul>

<a id="13.9" href="#"></a>
<a id="13.9.httpdmonitor" href="#"></a>
<a id="httpdmonitor" href="#"></a>
<h2 class="head"><span class="numb">13.9</span><span class="text">HTTPd Monitor</span></h2>

<p> The HTTP server may be monitored in real-time using the HTTPDMON utility.

<a class="imglink" target="_blank" href="./httpdmon.png"><img class="image" src="./httpdmon.png"></a>

<p> This utility continuously displays a screen of information comprising four
or five of the following sections: 

<ol class="list">


<li class="item"> <span class="high bold">System Information</span>
<br>
The nodename, instance number(s), monitor version and current date/time.

<li class="item"> <span class="high bold">Process Information</span>
<br>
HTTPd process information includes its up-time, CPU-time consumed (excluding 
any subprocesses), I/O counts, and memory utilization.  The &quot;Servers:&quot;
item shows how many servers are currently running on the node/cluster.  Changes
in this count are indicated by the second, parenthesized number.

<li class="item"> <span class="high bold">General Server Counters</span>
<br>
The server counters keep track of the total connections received, accepted, 
rejected, etc., totals for each request type (file transfer, directory 
listing, image mapping, etc.).

<br> <sup>**</sup> The request count of 3.8M is a real value, as are the
others, with the screenshot taken during x86-64 (V9.1-A) testing using OWASP
ZAP.

<li class="item"> <span class="high bold">Proxy Serving Counters</span>
<br>
The server counters keep track of proxy serving connections, network and cache
traffic, cache status, etc.

<li class="item"> <span class="high bold">Latest Request</span>
<br>
This section provides the response status code, and some transaction
statistics, the service being accessed, originating host and HTTP request. 
Note that long request strings may be truncated (indicated by a bolded
ellipsis).

<li class="item"> <span class="high bold">Status Message</span>
<br>
If the server is in an exceptional condition, for example exited after a fatal
error, starting up, etc., a textual message may be displayed in place of the
the request information.  This may be used to initiate remedial actions, etc.

</ol>

<p> The &quot;/HELP&quot; qualifier provides a brief usage summary.

<p> The server counter values are carried over when a server (re)starts 
(provided the system has stayed up).  To reset the counters use the online
Server Administration facility (<a class="link" href="#9.serveradministration">9. Server Administration</a>).

<p> If [DNSlookup] is disabled for the HTTP server the HTTPDMON utility
attempts to resolve the literal address into a host name. This may be disabled
using the /NORESOLVE qualifier.

<a id="13.10" href="#"></a>
<a id="13.10.md5digest" href="#"></a>
<a id="md5digest" href="#"></a>
<h2 class="head"><span class="numb">13.10</span><span class="text">MD5digest</span></h2>

<p> From RFC1321 &hellip;

<p> &quot; The [MD5] algorithm takes as input a message of arbitrary length
and produces as output a  128-bit &quot;fingerprint&quot; or &quot;message digest&quot; of the
input. It is conjectured that it is computationally infeasible to produce two
messages having the same message digest, or to produce any message having a
given prespecified target message digest. &quot;

<p> The MD5DIGEST utility is primarily provided with WASD for verifying kits
as unchanged from the originals released.  With the proliferation of mirror
sites and other distribution resources it has become good practice to ensure
kits remain unchanged from release, to distribution, to installation site
(changes due to to data corruption or malicious intent - as remote a
possibility as that may seem).  Of course it may also be used for any other
purpose where the MD5 hash is useful.

<p> For verifying the contents of a WASD release connect to the
<span class="high bold">original</span> WASD distribution site, refer to the download page,
and make a comparison between the release MD5 hash found against the list of
all archive hashes and the MD5 hash of your archive.  That can be done as
follows

<div class="blockof code">&dollar; MD5DIGEST == &quot;&dollar;WASD_EXE:MD5DIGEST&quot;
&dollar; MD5DIGEST device:[dir]archive.ZIP
</div>
 The result will look similar to

<div class="blockof code">MD5 (kits:[000000]htroot710.zip;1) = 404bbdfe0f847c597b034feef2d13d2d
</div>

<p> Of course, if you have not yet installed your first WASD distribution using
the MD5DIGEST utility that is part of it is not feasable.  The original site
can provide kits and pre-built executables for this purpose.

<a id="13.11" href="#"></a>
<a id="13.11.qdlogstats" href="#"></a>
<a id="qdlogstats" href="#"></a>
<h2 class="head"><span class="numb">13.11</span><span class="text">QDLogStats</span></h2>

<p> <span class="high bold">Quick-and-Dirty LOG STATisticS</span> is a utility to extract
very elementary statistics from Web server common/combined format log files. 
It is intended for those moments when we think &quot;I wonder how many times
that new archive has been downloaded?&quot;, &quot;How much data was transfered
during November?&quot;, &quot;How often is <span class="high italic">such-and-such</span> a client
using the authenticated <span class="high italic">so-and-so</span> service?&quot;, &quot;How much has
the mail service been used?&quot; &hellip; and want the results in a matter of
seconds (or at least a few tens of seconds ;-)   It is available at the
command-line and as a CGI script.

<a class="imglink" target="_blank" href="./qdlogstats.png"><img class="image" src="./qdlogstats.png"></a>

<p> For QDLOGSTATS to be available as a CGI script it <span class="high bold">must</span> have authorization
enabled against it (to prevent potential ad hoc browsing of a site's logs). 
The following provides some indication of this configuration, although of
course it requires tailoring for any given site.

<div class="blockof code">[VMS]
/cgi-bin/qdlogstats ~webadmin,131.185.250.*,r+w ;
</div>

<p> It could then be accessed using

<div class="blockof code">http://the.host.name/cgi-bin/qdlogstats
</div>

<p> The initial access provides a form allowing the various filters and other
behaviours to be selected.  The CGI form basically parallels the command-line
behaviour described below.

<a id="13.11.0.0.1" href="#"></a>
<a id="13.11.filters" href="#"></a>
<a id="filters" href="#"></a>
<h5 class="head"><span class="text">Filters</span></h5>

<p> A number of filters allow subsets of the log contents to be selected. 
These filters support the same string matching expressions as the server (see
<a class="link blank" target="_blank" href="../config/#stringmatching">String Matching</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<p> A knowlege of the format and contents of the <span class="high italic">common</span> and
<span class="high italic">combined</span> log formats will assist in deciding which and to what
purpose filters should be used.  Record filtering is done in the same order as
is finally displayed, so <span class="high italic">method</span> would be processed before
<span class="high italic">user-agent</span> for instance.  Normally a record match terminates on the
first non-matched filter (to expedite processing).  To compare and report each
filter for every record apply the /ALL qualifier.  To view records as they are
processed use the /VIEW qualifier.  This by default displays all matched
records, but the optional =ALL or =NOMATCH parameters will display all records, 
or all those but the matches.

<p> <span class="high bold"> QDLOGSTATS log-file-spec [pattern qualifiers]
[other qualifiers]</span>

<a id="13.11.0.0.2" href="#"></a>
<a id="13.11.parametersandqualifiers" href="#"></a>
<a id="parametersandqualifiers" href="#"></a>
<h5 class="head"><span class="text">Parameters and Qualifiers</span></h5>

<table class="tabl">
<tr class="tabr under">
<th class="tabh">Parameter
<th class="tabh">Description
<tr class="tabr">
<tr class="tabr backlight">
<td class="tabd">/ALL
<td class="tabd">compare and report on all supplied filters
<tr class="tabr">
<td class="tabd">/AUTHUSER=
<td class="tabd">pattern (any authenticated username)
<tr class="tabr backlight">
<td class="tabd">/BEFORE=
<td class="tabd">log files before this VMS date/time
<tr class="tabr">
<td class="tabd">/CLIENT=
<td class="tabd">pattern (client host name or IP address)
<tr class="tabr backlight">
<td class="tabd">/DATETIME=
<td class="tabd">pattern (&quot;11/Jun/1999:14:08:49 +0930&quot;)
<tr class="tabr">
<td class="tabd">/DECODE[=<span class="high italic">keyword</span>]
<td class="tabd">URL-decode PATH, QUERY,
REFERER before match
<tr class="tabr backlight">
<td class="tabd">/METHOD=
<td class="tabd">pattern (HTTP &quot;GET&quot;, &quot;POST&quot;, etc.)
<tr class="tabr">
<td class="tabd">/OUTPUT=
<td class="tabd">file specification
<tr class="tabr backlight">
<td class="tabd">/PATH=
<td class="tabd">pattern (URL path component only)
<tr class="tabr">
<td class="tabd">/PROGRESS
<td class="tabd">show progress during processing; a &quot;+&quot; for each
file started, a &quot;.&quot; for each 1000 records processed
<tr class="tabr backlight">
<td class="tabd">/QUERY=
<td class="tabd">pattern (URL query component only)
<tr class="tabr">
<td class="tabd">/REFERER=
<td class="tabd">pattern (HTTP &quot;Referer:&quot; field, COMBINED only)
<tr class="tabr backlight">
<td class="tabd">/REMOTEID=
<td class="tabd">pattern (RFC819 file)
<tr class="tabr">
<td class="tabd">/RESPONSE=
<td class="tabd">pattern (HTTP response code)
<tr class="tabr backlight">
<td class="tabd">/SINCE=
<td class="tabd">log files after this VMS date/time
<tr class="tabr">
<td class="tabd">/SIZE[=<span class="high italic">keyword</span>]
<td class="tabd">response size (in bytes)
MIN=<span class="high italic">integer</span> MAX=<span class="high italic">integer</span>
<tr class="tabr backlight">
<td class="tabd">/USERAGENT=
<td class="tabd">pattern (HTTP &quot;User-Agent:&quot; field, COMBINED
only)
<tr class="tabr">
<td class="tabd">/VIEW[=type]
<td class="tabd">display matching log records (ALL, NOMATCH, MATCH)
</table>


<a id="13.11.0.0.3" href="#"></a>
<a id="13.11.usageexamples" href="#"></a>
<a id="usageexamples" href="#"></a>
<h5 class="head"><span class="text">Usage Examples</span></h5>

<ul class="list">

<li class="item"> Records from September 1999.
<div class="blockof code">&dollar; QDLOGSTATS WASD_LOGS:*1999*.LOG /DATE=&quot;*/SEP/1999*&quot;
</div>

<li class="item"> Records where the browser was an X-based Netscape Navigator
<div class="blockof code">&dollar; QDLOGSTATS WASD_LOGS:*.LOG /USERAGENT=*MOZILLA*X11*
</div>

<li class="item"> Records of POST method requests
<div class="blockof code">&dollar; QDLOGSTATS WASD_LOGS:*.LOG /METHOD=POST
</div>

<li class="item"> Records requesting a particular path
<div class="blockof code">&dollar; QDLOGSTATS WASD_LOGS:*.LOG /PATH=&quot;/cgi-bin/*&quot;
</div>

<li class="item"> Select proxy records requesting (a) particular site(s)
<div class="blockof code">&dollar; QDLOGSTATS WASD_LOGS:*8080*.LOG /PATH=&quot;http://*.compaq.com*&quot;
&dollar; QDLOGSTATS WASD_LOGS:*8080*.LOG /METHOD=POST /PATH=&quot;http://*sex*.*/*&quot; /VIEW
</div>

<li class="item"> Records where the request was authenticated
<div class="blockof code">&dollar; QDLOGSTATS WASD_LOGS:*.LOG /AUTHUSER=DANIEL
</div>

</ul>

<a id="13.12" href="#"></a>
<a id="13.12.sechanutility" href="#"></a>
<a id="sechanutility" href="#"></a>
<h2 class="head"><span class="numb">13.12</span><span class="text">SECHAN Utility</span></h2>

<p> The SECHAN utility (pronounced &quot;session&quot;) is used by
[INSTALL]SECURE.COM and associated procedures to make file system security
settings.  It is also available for direct use by the site administrator.  See
<a class="link blank" target="_blank" href="../config/#securityconsiderations">Security Considerations</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>).

<a id="13.13" href="#"></a>
<a id="13.13.streamlfutility" href="#"></a>
<a id="streamlfutility" href="#"></a>
<h2 class="head"><span class="numb">13.13</span><span class="text">StreamLF Utility</span></h2>

<p> This simple procedure used the FDL facility to convert files to STREAM_LF
format. The WASD HTTPd  server access STREAM_LF files in block/IO-mode, far
more efficiently that the record-mode required by variable-record format files.

<p> <span class="high bold">NOTE: </span> The server can also be configured to automatically
convert any VARIABLE record format files it encounters to STREAM_LF.

<a id="13.14" href="#"></a>
<a id="13.14.wasteeutility" href="#"></a>
<a id="wasteeutility" href="#"></a>
<h2 class="head"><span class="numb">13.14</span><span class="text">WAStee Utility</span></h2>

<p> WAStee is a utility to generate time-stamped log files containing intervals
of a long-lived WASD server process, and/or to consolidate all process log
files generated during the defined period.  It is the tee in a PIPE sequence.

<p> This utility is UNSUITABLE for sites using multiple instances and/or
environments on a node.  Only the first of multiple server processes will have
the log teed.

<p> For further information check the descriptive prologue in the
<a class="link blank" target="_blank" href="/wasd_root/src/utils/wastee.c">WASD_ROOT:[SRC.UTILS]WASTEE.C</a> source code.

<a id="13.15" href="#"></a>
<a id="13.15.wotsuputility" href="#"></a>
<a id="wotsuputility" href="#"></a>
<h2 class="head"><span class="numb">13.15</span><span class="text">WOTSUP Utility</span></h2>

<p> The &quot;WASD Over-The-Shoulder Uptime Picket&quot; is designed to monitor
WASD in a production environment for the purpose of alerting operations staff
to conditions which might cause that production to be adversely impacted.

<p> Alert triggers include:

<ul class="list list0">
<li class="item"> server image exit and/or startup (default)
<li class="item"> server process non-existent or suspended (default)
<li class="item"> percentage thresholds on process quotas (optional)
<li class="item"> rates of HTTP status counter change (optional)
<li class="item"> maximum period without request processing (optional)
</ul>

<p> Alert reports can be delivered via any combination of:

<ul class="list list0">
<li class="item"> OPCOM message
<li class="item"> MAIL
<li class="item"> site-specific DCL command executed in a spawned subprocess
<li class="item"> log file entry
</ul>

<p> The utility runs in a detached process and monitors the server environment
by periodically polling various server data at a default interval is 15
seconds.  As the utility requires access to global memory accounting a
per-system WOTSUP is required for each node to be monitored.

<p> The following (somewhat contrived) example illustrates the format and
content of a WOTSUP report delivered via OPCOM.  Reports delivered via other
mechanisms have the same content and similar format.

<div class="blockof code">%%%%%%%%%%  WOTSUP  24-OCT-2006 13:32:56.44  %%%%%%%%%%%
Message from user SYSTEM on KLAATU
Over-The-Shoulder (WASD_WOTSUP) reports:
1. server PID 001C0950 exit %X00000001 (%SYSTEM-S-NORMAL)
2. server STARTUP (10)
3. server PIDs are 0018C14F (HTTPd:80), 001C0950 (HTTPe:80)
4. pagfilcnt:395432 pgflquota:500000 79% &lt;= 80%
</div>

<p> For further information check the descriptive prologue in the
<a class="link blank" target="_blank" href="/wasd_root/src/utils/wotsup.c">WASD_ROOT:[SRC.UTILS]WOTSUP.C</a> source code.
<!-- source:1400_INDEX.WASDOC -->
<hr class="page">
<a id="14." href="#"></a>
<a id="14.index" href="#"></a>
<a id="index" href="#"></a>
<h1 class="head"><span class="numb">14.</span><span class="text">Index</span></h1>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#13.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a href="#15.">&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<div class="IDXcols2">
<table class="IDXtable">
<tr><td class="alpha">A</td><td class="text"><a href="#0.abstract">&lsquo;Abstract&rsquo; in  WASD Features and Facilities</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.1.accessbeforeconfiguration">9.1&nbsp;Access Before Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.2.accessconfiguration">9.2&nbsp;Access Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#2.accesscontrol">&lsquo;Access Control&rsquo; in 2. Package Overview</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.5.accessfiltering">&lsquo;Access Filtering&rsquo; in 7.1.5 Controlling Proxy Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.4.accessrestrictionkeywords">&lsquo;Access Restriction Keywords&rsquo; in 3.4 Authorization Configuration File</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.1.accounting">9.7.1&nbsp;Accounting</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.1.acme">3.10.1&nbsp;ACME</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.7.addinganumbersignquotquottothewebfolderaddress">6.6.7&nbsp;Adding a number-sign (&quot;#&quot;) to the webfolder-address</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.6.addingaportnumbertothewebfolderaddress">6.6.6&nbsp;Adding a port number to the webfolder-address</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#2.administration">&lsquo;Administration&rsquo; in 2. Package Overview</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.2.afterreceivingthecertificate">&lsquo;After Receiving The Certificate&rsquo; in 4.6.2 Certificate Signing Request</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.2.alignmentfaults">9.7.2&nbsp;Alignment Faults</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.2.allopenssl102andearlier">&lsquo;All OpenSSL 1.0.2 and earlier&rsquo; in 4.2 TLS/SSL Functionality Sources</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.5.alternativeusingprofile">&lsquo;Alternative Using /PROFILE&rsquo; in 9.5 HTTPd Server Revise</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.apachecomparison">&lsquo;Apache Comparison&rsquo; in 11. Server Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#0.apachelicenseversion20">&lsquo;Apache License, Version 2.0&rsquo; in  WASD Features and Facilities</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.2.asofwasdv120cachingisobsolete">&lsquo;As of WASD v12.0 Caching is OBSOLETE&rsquo; in 7.2 Proxy Cache</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.8.athome">&lsquo;At Home&rsquo; in 4.8 SSL Service Evaluation</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.attributionandacknowledgement">15.&nbsp;Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.3.authentication">9.7.3&nbsp;Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.authenticationandauthorization">3.&nbsp;Authentication and Authorization</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.16.authenticationcache">&lsquo;Authentication Cache&rsquo; in 3.16 Cancelling Authorization</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.2.authenticationcacheandrevalidation">&lsquo;Authentication Cache and Revalidation&rsquo; in 3.2 Authentication Policy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.2.authenticationfailures">&lsquo;Authentication Failures&rsquo; in 3.2 Authentication Policy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.2.authenticationpolicy">3.2&nbsp;Authentication Policy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.5.authenticationsources">3.5&nbsp;Authentication Sources</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.9.authorizationcache">3.9&nbsp;Authorization Cache</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.8.authorizationconfigurationexamples">3.8&nbsp;Authorization Configuration Examples</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.4.authorizationconfigurationfile">3.4&nbsp;Authorization Configuration File</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.12.authorizationusingx509certification">4.5.12&nbsp;Authorization Using X.509 Certification</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.1.authorizationverification">&lsquo;Authorization Verification&rsquo; in 7.6.1 Reverse Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.8.2.automatic">7.8.2&nbsp;Automatic</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.2.avoidquotinterestingquotfilenames">&lsquo;Avoid &quot;Interesting&quot; File Names&rsquo; in 6.2.2 File Naming</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.3.avoidingmicrosoftpropertyclutter">6.6.3&nbsp;Avoiding Microsoft Property Clutter</a>
<tr><td class="alpha">B</td><td class="text"><a href="#11.benchmarksetup">&lsquo;Benchmark Setup&rsquo; in 11. Server Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.bjoumlernhoumlehrmann">&lsquo;Bj&ouml;ern H&ouml;ehrmann&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.8.browserproxyconfiguration">7.8&nbsp;Browser Proxy Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.16.byresource">&lsquo;By Resource&rsquo; in 4.5.16 X509 Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.16.byservice">&lsquo;By Service&rsquo; in 4.5.16 X509 Configuration</a>
<tr><td class="alpha">C</td><td class="text"><a href="#9.7.4.cache">9.7.4&nbsp;Cache</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.6.calogs">13.6&nbsp;CALogs</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.16.cancellingauthorization">3.16&nbsp;Cancelling Authorization</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.caution">&lsquo;Caution&rsquo; in 6. WebDAV</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.5.caution">&lsquo;CAUTION&rsquo; in 3.10.5 VMS Account Proxying</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.17.certificateauthorityverificationfile">4.5.17&nbsp;Certificate Authority Verification File</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.certificatemanagement">4.6&nbsp;Certificate Management</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.2.certificatesigningrequest">4.6.2&nbsp;Certificate Signing Request</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.4.chainauthorization">&lsquo;Chain Authorization&rsquo; in 7.1.4 Proxy Chaining</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.5.chainpassword">&lsquo;Chain Password&rsquo; in 7.1.5 Controlling Proxy Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.3.chainingfirewall">&lsquo;Chaining FIREWALL&rsquo; in 7.7.3 [ServiceProxyTunnel] FIREWALL</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.2.chainingraw">&lsquo;Chaining RAW&rsquo; in 7.7.2 [ServiceProxyTunnel] RAW</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.1.changingservercertificates">&lsquo;Changing Server Certificates&rsquo; in 4.6.1 Server Certificate</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.clarkcooperetal">&lsquo;Clark Cooper, et.al.&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.7.clienttools">&lsquo;Client Tools&rsquo; in 6.7 References</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.2.codemodules">&lsquo;Code Modules&rsquo; in 10.2 Event Categories</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.6.commandlineuse">10.6&nbsp;Command-Line Use</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.7.complexprivatetunneling">7.7.7&nbsp;Complex Private Tunneling</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.concurrency1">&lsquo;Concurrency 1&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.concurrency1">&lsquo;Concurrency 1&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.concurrency1">&lsquo;Concurrency 1&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.2.concurrency1requestssecond">&lsquo;Concurrency 1 - Requests/Second&rsquo; in 11.2 Scripting</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.concurrency10">&lsquo;Concurrency 10&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.concurrency10">&lsquo;Concurrency 10&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.concurrency10">&lsquo;Concurrency 10&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.2.concurrency10requestssecond">&lsquo;Concurrency 10 - Requests/Second&rsquo; in 11.2 Scripting</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.5.concurrentauthorisation">6.2.5&nbsp;Concurrent Authorisation</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.11.configuration">&lsquo;Configuration&rsquo; in 3.11 Token Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.1.3.configuration">8.1.3&nbsp;Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.6.configurationactionsection">&lsquo;Configuration Action Section&rsquo; in 9.6 HTTPd Server Action</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.5.configurationcheck">9.7.5&nbsp;Configuration Check</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.3.connectserving">7.3&nbsp;CONNECT Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.1.2.considerations">8.1.2&nbsp;Considerations</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.6.controlsection">&lsquo;Control Section&rsquo; in 9.6 HTTPd Server Action</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.3.2.controllingconnectserving">7.3.2&nbsp;Controlling CONNECT Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.5.controllingproxyserving">7.1.5&nbsp;Controlling Proxy Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.13.controllingserverwriteaccess">3.13&nbsp;Controlling Server Write Access</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.1.1.copyrestrictions">6.1.1&nbsp;COPY Restrictions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.cryptographysoftware">&lsquo;Cryptography Software&rsquo; in 4. Transport Layer Security</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.7.cspreporter">13.7&nbsp;CSPreport[er]</a>
<tr><td class="alpha">D</td><td class="text"><a href="#11.1.dataratembytessecond">&lsquo;Data Rate - MBytes/Second&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.6.dclscriptingprocesses">9.7.6&nbsp;DCL/Scripting Processes</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.7.decnetscriptingconnections">9.7.7&nbsp;DECnet Scripting Connections</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.1.2.deleterestrictions">6.1.2&nbsp;DELETE Restrictions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.4.deprecatedanddiscouraged">&lsquo;Deprecated and Discouraged&rsquo; in 3.10.4 WASD &quot;Hard-Wired&quot; Identifiers</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.3.directorymetadata">&lsquo;Directory Metadata&rsquo; in 6.3 WebDAV Metadata</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.4.dnswildcardproxy">7.6.4&nbsp;DNS Wildcard Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.5.3.dreamweaver">6.5.3&nbsp;Dreamweaver</a>
<tr><td class="alpha">E</td><td class="text"><a href="#13.1.echofacility">13.1&nbsp;Echo Facility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.1.enablingaproxyservice">7.1.1&nbsp;Enabling A Proxy Service</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.3.1.enablingconnectserving">7.3.1&nbsp;Enabling CONNECT Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.5.enablingserveraccess">&lsquo;Enabling Server Access&rsquo; in 9.5 HTTPd Server Revise</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.4.enablingsocks5proxy">&lsquo;Enabling SOCKS5 Proxy&rsquo; in 7.4 SOCKS Version 5</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.5.enablingssl">&lsquo;Enabling SSL&rsquo; in 7.6.5 Originating SSL</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.4.encryptedtunnel">7.7.4&nbsp;Encrypted Tunnel</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.5.encryptedtunnelwithauthentication">7.7.5&nbsp;Encrypted Tunnel With Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved">6.6.11&nbsp;Error 0x800700DF: The file size exceeds the limit allowed and cannot be saved</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.errormessages">&lsquo;Error Messages&rsquo; in 7. Proxy Services</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.2.eventcategories">10.2&nbsp;Event Categories</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.7.exampleinaction">&lsquo;Example In Action&rsquo; in 7.7.7 Complex Private Tunneling</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.12.examples">&lsquo;Examples&rsquo; in 3.12 Skeleton-Key Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.3.examples">&lsquo;Examples&rsquo; in 10.3 Request Filtering</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.15.extensionvisibility">&lsquo;Extension Visibility&rsquo; in 4.5.15 Subject Alternative Name and Other Extensions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.7.externalmapping">&lsquo;External Mapping&rsquo; in 7.7.7 Complex Private Tunneling</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.7.externalservices">&lsquo;External Services&rsquo; in 7.7.7 Complex Private Tunneling</a>
<tr><td class="alpha">F</td><td class="text"><a href="#8.1.1.failthrough">&lsquo;Fail-Through&rsquo; in 8.1.1 VMS Clustering Comparison</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.14.features">4.5.14&nbsp;Features</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.2.filenameambiguity">&lsquo;File Name Ambiguity&rsquo; in 6.2.2 File Naming</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.2.filenaming">6.2.2&nbsp;File Naming</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.filerecordformat">&lsquo;File Record Format&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.filetransferrate">&lsquo;File Transfer Rate&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.3.filesystemaccess">6.2.3&nbsp;File-system Access</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.4.filesystemauthorisation">6.2.4&nbsp;File-system Authorisation</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.11.filters">&lsquo;Filters&rsquo; in 13.11 QDLogStats</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.8.forcewindowsxptousebasicauthentication">6.6.8&nbsp;Force Windows XP to use Basic Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.5.forwardsecrecy">4.5.5&nbsp;Forward Secrecy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.freesoftwarefoundation">&lsquo;Free Software Foundation&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.2.frontpageextensions">6.6.2&nbsp;FrontPage Extensions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.5.ftpproxyserving">7.5&nbsp;FTP Proxy Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.5.1.ftpquerystringkeywords">7.5.1&nbsp;FTP Query String Keywords</a>
<tr><td class="alpha">G</td><td class="text"><a href="#7.6.gatewayingusingproxy">7.6&nbsp;Gatewaying Using Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#2.general">&lsquo;General&rsquo; in 2. Package Overview</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.2.general">&lsquo;General&rsquo; in 10.2 Event Categories</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.16.generalsetup">&lsquo;General Setup&rsquo; in 4.5.16 X509 Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.3.1.globalconfiguration">5.3.1&nbsp;Global Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.5.2.gnomegvfsnautilus">6.5.2&nbsp;Gnome/gvfs/Nautilus</a>
<tr><td class="alpha">H</td><td class="text"><a href="#9.7.8.hhelppp">9.7.8&nbsp;Hhelppp!</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.2.hissfacility">13.2&nbsp;Hiss Facility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.8.htadmin">13.8&nbsp;HTAdmin</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.3.httpmethods">&lsquo;HTTP Methods&rsquo; in 3.3 Permissions, Path and User</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.1.httpmethodssupported">6.1&nbsp;HTTP Methods Supported</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.httpproxyserving">7.1&nbsp;HTTP Proxy Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.2.httpreport">&lsquo;HTTP Report&rsquo; in 5.2 HTTP/2 and Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.http11clear">&lsquo;HTTP/1.1 clear&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.http11encrypted">&lsquo;HTTP/1.1 encrypted&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.http2">5.&nbsp;HTTP/2</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.http2encrypted">&lsquo;HTTP/2 (encrypted)&rsquo; in 11.1 Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.2.http2andperformance">5.2&nbsp;HTTP/2 and Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.1.http2andwatch">&lsquo;HTTP/2 and WATCH&rsquo; in 5.1 WASD HTTP/2</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.3.http2configuration">5.3&nbsp;HTTP/2 Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.9.http2connection">9.7.9&nbsp;HTTP/2 Connection</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.4.http2detection">5.4&nbsp;HTTP/2 Detection</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.3.1.http2globalconfiguration">&lsquo;HTTP/2 Global Configuration&rsquo; in 5.3.1 Global Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.5.http2references">5.5&nbsp;HTTP/2 References</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.3.3.http2setrules">5.3.3&nbsp;HTTP/2 Set Rules</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.httpdcommandline">9.7&nbsp;HTTPd Command Line</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.9.httpdmonitor">13.9&nbsp;HTTPd Monitor</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.6.httpdserveraction">9.6&nbsp;HTTPd Server Action</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.4.httpdserverreports">9.4&nbsp;HTTPd Server Reports</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.5.httpdserverrevise">9.5&nbsp;HTTPd Server Revise</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#12.httpdwebupdate">12.&nbsp;HTTPd Web Update</a>
<tr><td class="alpha">I</td><td class="text"><a href="#6.1.4.ifrestrictions">6.1.4&nbsp;If: Restrictions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.9.implication">&lsquo;Implication&rsquo; in 3.9 Authorization Cache</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.12.important">&lsquo;Important&rsquo; in 4.5.12 Authorization Using X.509 Certification</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#14.index">14.&nbsp;Index</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.11.instancestatus">9.7.11&nbsp;Instance Status</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.10.instances">9.7.10&nbsp;Instances</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.instancesandenvironments">8.&nbsp;Instances and Environments</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.7.internalmapping">&lsquo;Internal Mapping&rsquo; in 7.7.7 Complex Private Tunneling</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.7.internalservices">&lsquo;Internal Services&rsquo; in 7.7.7 Complex Private Tunneling</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#2.4.internationalfeatures">2.4&nbsp;International Features</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#1.introduction">1.&nbsp;Introduction</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.2.isitallworthitnbspnbspasmightbeexpectedndashthatdepends">&lsquo;Is it all worth it?&nbsp;&nbsp;As might be expected &ndash; that depends.&rsquo; in 5.2 HTTP/2 and Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.1.itsfairtosayhellip">&lsquo;It's fair to say&hellip;&rsquo; in 5.1 WASD HTTP/2</a>
<tr><td class="alpha">K</td><td class="text"><a href="#3.8.1.kiss">3.8.1&nbsp;KISS</a>
<tr><td class="alpha">L</td><td class="text"><a href="#7.5.2.quotloginquotkeyword">7.5.2&nbsp;&quot;login&quot; Keyword</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.1.letsencrypt">4.1&nbsp;Let's Encrypt</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.1.letsencrypt">&lsquo;Let's Encrypt&rsquo; in 4.6.1 Server Certificate</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#0.license">&lsquo;License&rsquo; in  WASD Features and Facilities</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.licensedundertheapachelicenseversion20">&lsquo;Licensed under the Apache License, Version 2.0&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.1.1.loadsharing">&lsquo;Load Sharing&rsquo; in 8.1.1 VMS Clustering Comparison</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.1.loadingauthoritycertificates">&lsquo;Loading Authority Certificates&rsquo; in 4.6.1 Server Certificate</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.5.localpassword">&lsquo;Local Password&rsquo; in 7.1.5 Controlling Proxy Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.4.lockdepth0">&lsquo;Lock Depth 0&rsquo; in 6.4 WebDAV Locking</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.4.lockingdepth">&lsquo;Locking Depth&rsquo; in 6.4 WebDAV Locking</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.4.lockingtimeout">&lsquo;Locking Timeout&rsquo; in 6.4 WebDAV Locking</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.12.logging">9.7.12&nbsp;Logging</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.2.logontype">3.10.2&nbsp;Logon Type</a>
<tr><td class="alpha">M</td><td class="text"><a href="#7.8.1.manual">7.8.1&nbsp;Manual</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.13.mapping">9.7.13&nbsp;Mapping</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.1.mapping">6.6.1&nbsp;Mapping</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.10.md5digest">13.10&nbsp;MD5digest</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.3.metadatafiles">&lsquo;Metadata Files&rsquo; in 6.3 WebDAV Metadata</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.3.metadatashouldnotbeeditedmanually">&lsquo;Metadata should not be edited manually ...&rsquo; in 6.3 WebDAV Metadata</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.3.metadataxml">&lsquo;Metadata XML&rsquo; in 6.3 WebDAV Metadata</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.1.method">&lsquo;Method&rsquo; in 9.1 Access Before Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.3.microsoftmetadata">&lsquo;Microsoft Metadata&rsquo; in 6.3 WebDAV Metadata</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.microsoftmiscellanea">6.6&nbsp;Microsoft Miscellanea</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.10.microsoftwindows7basicauthentication">6.6.10&nbsp;Microsoft Windows 7 BASIC Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.9.microsoftxpexplorerbasicauthentication">6.6.9&nbsp;Microsoft XP Explorer BASIC Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.1.3.moverestrictions">6.1.3&nbsp;MOVE Restrictions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.muchofthisisprewindows10">&lsquo;much of this is pre- Windows 10&rsquo; in 6.6 Microsoft Miscellanea</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.multiserverclusterwide">&lsquo;Multi-Server/Cluster-Wide&rsquo; in 9.7 HTTPd Command Line</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.5.multiplesourcetypes">&lsquo;Multiple Source Types&rsquo; in 3.5 Authentication Sources</a>
<tr><td class="alpha">N</td><td class="text"><a href="#9.7.needittobejogged">&lsquo;Need it to be jogged?&rsquo; in 9.7 HTTPd Command Line</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.2.network">&lsquo;Network&rsquo; in 10.2 Event Categories</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.14.networkconnection">9.7.14&nbsp;Network Connection</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.6.nilaccessvmsaccounts">3.10.6&nbsp;Nil-Access VMS Accounts</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.noneofthefollowinglicensingappearsincompatiblewiththeapachelicense">&lsquo;None of the following licensing appears incompatible with the Apache License&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.notreallyanendorsementbut">&lsquo;not really an endorsement but&rsquo; in 4.6 Certificate Management</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.5.note">&lsquo;Note&rsquo; in 4.5.5 Forward Secrecy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.5.note">&lsquo;Note&rsquo; in 4.5.5 Forward Secrecy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.5.note">&lsquo;Note&rsquo; in 3.5 Authentication Sources</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.2.note">&lsquo;Note&rsquo; in 7.6.2 Proxy Rework</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.2.note">&lsquo;Note&rsquo; in 7.6.2 Proxy Rework</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.4.note">&lsquo;Note&rsquo; in 7.6.4 DNS Wildcard Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.8.note">&lsquo;Note&rsquo; in 7.7.8 Tunnelling Source</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.15.note">&lsquo;Note&rsquo; in 3.15 User Password Modification</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.12.note">&lsquo;Note&rsquo; in 3.12 Skeleton-Key Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.8.note">&lsquo;Note&rsquo; in 3.10.8 SYSUAF Security Profile</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.5.note">&lsquo;Note&rsquo; in 10.5 Usage Suggestions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.5.note">&lsquo;Note&rsquo; in 7.1.5 Controlling Proxy Serving</a>
<tr><td class="alpha">O</td><td class="text"><a href="#1.objectives">&lsquo;Objectives&rsquo; in 1. Introduction</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.ohiostateuniversity">&lsquo;Ohio State University&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.3.oneshotproxy">7.6.3&nbsp;One-Shot Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#0.onlinesearch">&lsquo;Online Search&rsquo; in  WASD Features and Facilities</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.3.openssloptions">&lsquo;OpenSSL Options&rsquo; in 4.5.3 SSL Ciphers</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.opensslproject">&lsquo;OpenSSL Project&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.4.opensslexeapplication">4.4&nbsp;OPENSSL.EXE Application</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.4.optionsheaderquotmsauthorviadavquot">6.6.4&nbsp;OPTIONS header &quot;MS-Author-Via: DAV&quot;</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.5.originatingssl">7.6.5&nbsp;Originating SSL</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.5.1.osxfinder">6.5.1&nbsp;OS X Finder</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.osucomparison">&lsquo;OSU Comparison&rsquo; in 11. Server Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.2.other">&lsquo;Other&rsquo; in 10.2 Event Categories</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.2.otherassessment">&lsquo;Other Assessment&rsquo; in 5.2 HTTP/2 and Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.overview">&lsquo;Overview&rsquo; in 3. Authentication and Authorization</a>
<tr><td class="alpha">P</td><td class="text"><a href="#2.packageoverview">2.&nbsp;Package Overview</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.11.parametersandqualifiers">&lsquo;Parameters and Qualifiers&rsquo; in 13.11 QDLogStats</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.8.parametersandqualifiers">&lsquo;Parameters and Qualifiers&rsquo; in 13.8 HTAdmin</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.6.parametersandqualifiers">&lsquo;Parameters and Qualifiers&rsquo; in 13.6 CALogs</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.15.passwordexpiry">&lsquo;Password Expiry&rsquo; in 3.15 User Password Modification</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.paulejones">&lsquo;Paul E. Jones&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.2.performanceassessment">&lsquo;Performance Assessment&rsquo; in 5.2 HTTP/2 and Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.8.performanceimpact">&lsquo;Performance Impact&rsquo; in 3.10.8 SYSUAF Security Profile</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.3.permissionspathanduser">3.3&nbsp;Permissions, Path and User</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.2.persistentscripting">&lsquo;Persistent Scripting&rsquo; in 11.2 Scripting</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.2.proxy">&lsquo;Proxy&rsquo; in 10.2 Event Categories</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.2.proxyaffinity">7.1.2&nbsp;Proxy Affinity</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.3.proxybind">7.1.3&nbsp;Proxy Bind</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.2.proxycache">7.2&nbsp;Proxy Cache</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.2.proxycacheisobsolete">&lsquo;Proxy Cache is OBSOLETE&rsquo; in 7.2 Proxy Cache</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.4.proxychaining">7.1.4&nbsp;Proxy Chaining</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.proxyerrormessages">&lsquo;Proxy Error Messages&rsquo; in 7. Proxy Services</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.5.proxypassword">&lsquo;Proxy Password&rsquo; in 7.1.5 Controlling Proxy Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.2.proxyrework">7.6.2&nbsp;Proxy Rework</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.proxyservices">7.&nbsp;Proxy Services</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.proxyservingquickstart">&lsquo;Proxy Serving Quick-Start&rsquo; in 7. Proxy Services</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.2.proxymungeutility">&lsquo;proxyMUNGE Utility&rsquo; in 7.6.2 Proxy Rework</a>
<tr><td class="alpha">Q</td><td class="text"><a href="#13.11.qdlogstats">13.11&nbsp;QDLogStats</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.8.qualysssllab">&lsquo;Qualys SSL Lab&rsquo; in 4.8 SSL Service Evaluation</a>
<tr><td class="alpha">R</td><td class="text"><a href="#6.2.6.realworldexample">6.2.6&nbsp;Real-World Example</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.5.realmdescription">&lsquo;Realm Description&rsquo; in 3.5 Authentication Sources</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.6.realmfullaccessreadonly">3.6&nbsp;Realm, Full-Access, Read-Only</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#1.reasonsforyetanotherwebpackage">&lsquo;Reasons For Yet Another Web Package&rsquo; in 1. Introduction</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.1.redirectionlocationfield">&lsquo;Redirection Location Field&rsquo; in 7.6.1 Reverse Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.7.references">6.7&nbsp;References</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.6.5.repairingbrokenxpwebfolders">6.6.5&nbsp;Repairing broken XP Web Folders</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.4.reportformat">10.4&nbsp;Report Format</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.2.request">&lsquo;Request&rsquo; in 10.2 Event Categories</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.3.requestfiltering">10.3&nbsp;Request Filtering</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.5.requestmodification">&lsquo;Request Modification&rsquo; in 7.1.5 Controlling Proxy Serving</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.requestredirect">&lsquo;Request Redirect&rsquo; in 7.6 Gatewaying Using Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.4.reservednames">&lsquo;Reserved Names&rsquo; in 3.4 Authorization Configuration File</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.4.reservedusername">&lsquo;Reserved Username&rsquo; in 3.4 Authorization Configuration File</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.2.response">&lsquo;Response&rsquo; in 10.2 Event Categories</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.1.1.restart">&lsquo;Restart&rsquo; in 8.1.1 VMS Clustering Comparison</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.6.1.reverseproxy">7.6.1&nbsp;Reverse Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.3.rightsidentifiers">3.10.3&nbsp;Rights Identifiers</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.rsadatasecurity">&lsquo;RSA Data Security&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.1.ruleinterpretation">3.1&nbsp;Rule Interpretation</a>
<tr><td class="alpha">S</td><td class="text"><a href="#2.scripting">&lsquo;Scripting&rsquo; in 2. Package Overview</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.2.scripting">11.2&nbsp;Scripting</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.12.sechanutility">13.12&nbsp;SECHAN Utility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.16.securesocketslayer">9.7.16&nbsp;Secure Sockets Layer</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.14.securingallrequests">3.14&nbsp;Securing All Requests</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.1.selfsignedcertificates">&lsquo;Self-Signed Certificates&rsquo; in 4.6.1 Server Certificate</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.serveradministration">9.&nbsp;Server Administration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#2.1.serverbehaviour">2.1&nbsp;Server Behaviour</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.6.1.servercertificate">4.6.1&nbsp;Server Certificate</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.4.serverclisysplus">&lsquo;Server CLI /SYSPLUS&rsquo; in 9.4 HTTPd Server Reports</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.2.serverenvironments">8.2&nbsp;Server Environments</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.1.serverinstances">10.1&nbsp;Server Instances</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.3.serverinstances">9.3&nbsp;Server Instances</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.1.serverinstances">8.1&nbsp;Server Instances</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.serverlogannotation">&lsquo;Server Log Annotation&rsquo; in 9.7 HTTPd Command Line</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.serverperformance">11.&nbsp;Server Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.3.2.serviceconfiguration">5.3.2&nbsp;Service Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.6.sessionresumption">4.5.6&nbsp;Session Resumption</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.7.setpathsslcgiapachemodssl">&lsquo;set /path/* SSLCGI=apache_mod_ssl&rsquo; in 4.7 SSL CGI Variables</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.6.sharedsshtunnel">7.7.6&nbsp;Shared SSH Tunnel</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.1.shouldacmebeunavailable">&lsquo;Should ACME be unavailable&rsquo; in 3.10.1 ACME</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.15.shutdownandrestart">9.7.15&nbsp;Shutdown and Restart</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.1.simplefilerequestturnaround">11.1&nbsp;Simple File Request Turn-Around</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.12.skeletonkeyauthentication">3.12&nbsp;Skeleton-Key Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.4.socksversion5">7.4&nbsp;SOCKS Version 5</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.somethoughtsfromrsengelschall">&lsquo;Some Thoughts From R. S. Engelschall&rsquo; in 4. Transport Layer Security</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.5.somewrinkles">6.5&nbsp;Some Wrinkles</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.8.sortdetails">&lsquo;Sort Details&rsquo; in 13.8 HTAdmin</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.11.sslaccesscontrol">4.5.11&nbsp;SSL Access Control</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.7.sslcgivariables">4.7&nbsp;SSL CGI Variables</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.3.sslciphers">4.5.3&nbsp;SSL Ciphers</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.sslconfiguration">4.5&nbsp;SSL Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.3.ssloptions">&lsquo;SSL Options&rsquo; in 4.5.3 SSL Ciphers</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.9.sslprivatekey">4.5.9&nbsp;SSL Private Key</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.9.sslreferences">4.9&nbsp;SSL References</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.8.sslservercertificate">4.5.8&nbsp;SSL Server Certificate</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.8.sslserviceevaluation">4.8&nbsp;SSL Service Evaluation</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.2.ssltoraw">&lsquo;SSL to RAW&rsquo; in 7.7.2 [ServiceProxyTunnel] RAW</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.2.sslversions">&lsquo;SSL Versions&rsquo; in 4.5.2 TLS/SSL Versions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.10.sslvirtualservices">4.5.10&nbsp;SSL Virtual Services</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.1.4.status">8.1.4&nbsp;Status</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.3.streamfacility">13.3&nbsp;Stream Facility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.13.streamlfutility">13.13&nbsp;StreamLF Utility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.7.stricttransportsecurity">4.5.7&nbsp;Strict Transport Security</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.1.stringmatching">&lsquo;String Matching&rsquo; in 3.1 Rule Interpretation</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.stuartlangridge">&lsquo;Stuart Langridge&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.15.subjectalternativenameandotherextensions">4.5.15&nbsp;Subject Alternative Name and Other Extensions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.sureanoldclunker">&lsquo;Sure, an old clunker&rsquo; in 11. Server Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.4.systemreportplus">&lsquo;System Report PLUS&rsquo; in 9.4 HTTPd Server Reports</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.7.sysuafandssl">3.10.7&nbsp;SYSUAF and SSL</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.9.sysuafprofileforfullsiteaccess">3.10.9&nbsp;SYSUAF Profile For Full Site Access</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.8.sysuafsecurityprofile">3.10.8&nbsp;SYSUAF Security Profile</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.sysuafauthenticatedusers">3.10&nbsp;SYSUAF-Authenticated Users</a>
<tr><td class="alpha">T</td><td class="text"><a href="#0.tableofcontent">&lsquo;Table of Content&rsquo; in  WASD Features and Facilities</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.tatsuhirotsujikawa">&lsquo;Tatsuhiro Tsujikawa&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#2.3.tcpippackages">2.3&nbsp;TCP/IP Packages</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.8.testtlsversion13">&lsquo;test TLS Version 1.3&rsquo; in 4.8 SSL Service Evaluation</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.thesearev115results">&lsquo;These Are v11.5 Results&rsquo; in 11. Server Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#11.theseresultsareindicativeonly">&lsquo;These results are indicative only!&rsquo; in 11. Server Performance</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.17.throttle">9.7.17&nbsp;Throttle</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.tlsandssl">&lsquo;TLS and SSL&rsquo; in 4. Transport Layer Security</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.tlsfunctionalityisnotsuppliedwiththebasicwasdpackage">&lsquo;TLS functionality is not supplied with the basic WASD package&rsquo; in 4. Transport Layer Security</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.8.tlsversion13">&lsquo;TLS Version 1.3&rsquo; in 4.8 SSL Service Evaluation</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.2.tlsversion13">&lsquo;TLS Version 1.3&rsquo; in 4.5.2 TLS/SSL Versions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.2.tlssslfunctionalitysources">4.2&nbsp;TLS/SSL Functionality Sources</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.3.tlsssloptions">&lsquo;TLS/SSL Options&rsquo; in 4.5.3 SSL Ciphers</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.2.tlssslversions">4.5.2&nbsp;TLS/SSL Versions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.11.tokenauthentication">3.11&nbsp;Token Authentication</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.transportlayersecurity">4.&nbsp;Transport Layer Security</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#1.1.troubleshooting">1.1&nbsp;Troubleshooting?</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.tunnelingusingproxy">7.7&nbsp;Tunneling Using Proxy</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.7.8.tunnellingsource">7.7.8&nbsp;Tunnelling Source</a>
<tr><td class="alpha">U</td><td class="text"><a href="#12.updateaccesspermission">&lsquo;Update Access Permission&rsquo; in 12. HTTPd Web Update</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.6.usageexamples">&lsquo;Usage Examples&rsquo; in 13.6 CALogs</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.8.usageexamples">&lsquo;Usage Examples&rsquo; in 13.8 HTAdmin</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.11.usageexamples">&lsquo;Usage Examples&rsquo; in 13.11 QDLogStats</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.5.usagesuggestions">10.5&nbsp;Usage Suggestions</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.15.userpasswordmodification">3.15&nbsp;User Password Modification</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.2.useshttpcookies">&lsquo;Uses HTTP Cookies&rsquo; in 7.1.2 Proxy Affinity</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.1.4.usinginstancestatus">&lsquo;Using Instance Status&rsquo; in 8.1.4 Status</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.utilitiesandfacilities">13.&nbsp;Utilities and Facilities</a>
<tr><td class="alpha">V</td><td class="text"><a href="#3.7.virtualservers">3.7&nbsp;Virtual Servers</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.5.vmsaccountproxying">3.10.5&nbsp;VMS Account Proxying</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#8.1.1.vmsclusteringcomparison">8.1.1&nbsp;VMS Clustering Comparison</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.4.vmsdlmlocking">&lsquo;VMS DLM Locking&rsquo; in 6.4 WebDAV Locking</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#2.2.vmsversions">2.2&nbsp;VMS Versions</a>
<tr><td class="alpha">W</td><td class="text"><a href="#8.1.warning">&lsquo;WARNING&rsquo; in 8.1 Server Instances</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.warning">&lsquo;WARNING!&rsquo; in 3.10 SYSUAF-Authenticated Users</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#3.10.4.wasdquothardwiredquotidentifiers">3.10.4&nbsp;WASD &quot;Hard-Wired&quot; Identifiers</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#0.wasdfeaturesandfacilities">&lsquo;WASD Features and Facilities&rsquo; in  WASD Features and Facilities</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#5.1.wasdhttp2">5.1&nbsp;WASD HTTP/2</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.3.wasdsslquickstart">4.3&nbsp;WASD SSL Quick-Start</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#15.wasdvmswebservicesndashcopyrightcopy19962021markgdaniel">&lsquo;WASD VMS Web Services &ndash; Copyright &copy; 1996-2021 Mark G. Daniel&rsquo; in 15. Attribution and Acknowledgement</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.1.wasdconfigservice">4.5.1&nbsp;WASD_CONFIG_SERVICE</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#7.1.1.wasdconfigservice">&lsquo;WASD_CONFIG_SERVICE&rsquo; in 7.1.1 Enabling A Proxy Service</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.14.wasteeutility">13.14&nbsp;WAStee Utility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#10.watchfacility">10.&nbsp;WATCH Facility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.webdav">6.&nbsp;WebDAV</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.webdavconfiguration">6.2&nbsp;WebDAV Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.4.webdavlocking">6.4&nbsp;WebDAV Locking</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.3.webdavmetadata">6.3&nbsp;WebDAV Metadata</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.1.webdavsetrules">6.2.1&nbsp;WebDAV Set Rules</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#9.7.18.websocket">9.7.18&nbsp;WebSocket</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.4.wherefacility">13.4&nbsp;Where Facility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.2.6.whyusehellip">&lsquo;Why use &hellip;&rsquo; in 6.2.6 Real-World Example</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.15.wotsuputility">13.15&nbsp;WOTSUP Utility</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#6.4.writeaccessonly">&lsquo;Write Access Only&rsquo; in 6.4 WebDAV Locking</a>
<tr><td class="alpha">X</td><td class="text"><a href="#4.5.18.x509authorizationcgivariables">4.5.18&nbsp;X.509 Authorization CGI Variables</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.13.x509certificaterenegotiation">4.5.13&nbsp;X.509 Certificate Renegotiation</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#4.5.16.x509configuration">4.5.16&nbsp;X509 Configuration</a>
<tr><td class="alpha">&nbsp;</td><td class="text"><a href="#13.5.xrayfacility">13.5&nbsp;Xray Facility</a>
<tr><td class="alpha">Y</td><td class="text"><a href="#5.2.ymmv">&lsquo;YMMV!&rsquo; in 5.2 HTTP/2 and Performance</a>
</table>
</div>


<hr class="page">
<a id="15." href="#"></a>
<a id="15.attributionandacknowledgement" href="#"></a>
<a id="attributionandacknowledgement" href="#"></a>
<h1 class="head"><span class="numb">15.</span><span class="text">Attribution and Acknowledgement</span></h1>

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#14.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a>&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>

<a id="15.0.0.0.1" href="#"></a>
<a id="15.wasdvmswebservicesndashcopyrightcopy19962021markgdaniel" href="#"></a>
<a id="wasdvmswebservicesndashcopyrightcopy19962021markgdaniel" href="#"></a>
<h5 class="head"><span class="text">WASD VMS Web Services &ndash; Copyright &copy; 1996-2021 Mark G. Daniel</span></h5>

<a id="15.0.0.0.2" href="#"></a>
<a id="15.licensedundertheapachelicenseversion20" href="#"></a>
<a id="licensedundertheapachelicenseversion20" href="#"></a>
<h5 class="head"><span class="text">Licensed under the <span class="high bold">Apache License</span>, Version 2.0</span></h5>

<p>
<div class="blockof code">You may not use this software except in compliance with the License.
You may obtain a copy of the License at

<a class="link blank" target="_blank" style="margin-left:1em;" href="https://www.apache.org/licenses/LICENSE-2.0">https://www.apache.org/licenses/LICENSE-2.0</a>

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an &quot;AS IS&quot; BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
</div>

<a id="15.0.0.0.3" href="#"></a>
<a id="15.noneofthefollowinglicensingappearsincompatiblewiththeapachelicense" href="#"></a>
<a id="noneofthefollowinglicensingappearsincompatiblewiththeapachelicense" href="#"></a>
<h5 class="head"><span class="text">None of the following licensing appears incompatible with the Apache License</span></h5>

<a id="15.0.0.0.4" href="#"></a>
<a id="15.clarkcooperetal" href="#"></a>
<a id="clarkcooperetal" href="#"></a>
<h5 class="head"><span class="text">Clark Cooper, et.al.</span></h5>

<p> This package uses the Expat XML parsing toolkit.

<div class="blockof code">Copyright (c) 1998, 1999, 2000
Thai Open Source Software Center Ltd and Clark Cooper
Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Expat maintainers.

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
&quot;Software&quot;), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
</div>

<a id="15.0.0.0.5" href="#"></a>
<a id="15.bjoumlernhoumlehrmann" href="#"></a>
<a id="bjoumlernhoumlehrmann" href="#"></a>
<h5 class="head"><span class="text">Bj&ouml;ern H&ouml;ehrmann</span></h5>

<p> This package uses essential algorithm and code from Flexible and Economical
UTF-8 Decoder.

<div class="blockof code">Copyright (c) 2008-2009 Bj&ouml;ern H&ouml;ehrmann (&lt;bjoern@hoehrmann.de&gt;)

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
&quot;Software&quot;), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be included
in all copies or substantial portions of the Software.
</div>

<a id="15.0.0.0.6" href="#"></a>
<a id="15.freesoftwarefoundation" href="#"></a>
<a id="freesoftwarefoundation" href="#"></a>
<h5 class="head"><span class="text">Free Software Foundation</span></h5>

<p> This package contains software made available by the Free Software
Foundation under the GNU General Public License.

<div class="blockof code">This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2, or (at your option)
any later version.
</div>

<a id="15.0.0.0.7" href="#"></a>
<a id="15.ohiostateuniversity" href="#"></a>
<a id="ohiostateuniversity" href="#"></a>
<h5 class="head"><span class="text">Ohio State University</span></h5>

<p> This package contains software provided with the OSU (DECthreads) HTTP
server package, authored by David Jones:

<div class="blockof code">Copyright 1994,1997 The Ohio State University.  
The Ohio State University will not assert copyright with respect
to reproduction, distribution, performance and/or modification 
of this program by any person or entity that ensures that all 
copies made, controlled or distributed by or for him or it bear 
appropriate acknowlegement of the developers of this program.
</div>

<a id="15.0.0.0.8" href="#"></a>
<a id="15.opensslproject" href="#"></a>
<a id="opensslproject" href="#"></a>
<h5 class="head"><span class="text">OpenSSL Project</span></h5>
                                                                           
<p> This product <span class="high italic">can</span> include software developed by the OpenSSL Project for
use in the OpenSSL Toolkit (<a class="link blank" target="_blank" href="https://www.openssl.org/">https://www.openssl.org/</a>).

<div class="blockof code">Redistribution and use in source and binary forms, with or without
modification, are permitted ...
</div>

<a id="15.0.0.0.9" href="#"></a>
<a id="15.paulejones" href="#"></a>
<a id="paulejones" href="#"></a>
<h5 class="head"><span class="text">Paul E. Jones</span></h5>

<p> This package uses SHA-1 hash code.

<div class="blockof code">Copyright (C) 1998, 2009
Paul E. Jones &lt;paulej@packetizer.com&gt;

Freeware Public License (FPL)

This software is licensed as &quot;freeware.&quot;  Permission to distribute this
software in source and binary forms, including incorporation  into other
products, is hereby granted without a fee.
</div>

<a id="15.0.0.0.10" href="#"></a>
<a id="15.rsadatasecurity" href="#"></a>
<a id="rsadatasecurity" href="#"></a>
<h5 class="head"><span class="text">RSA Data Security</span></h5>

<p> This software contains code derived in part from RSA Data Security, Inc:

<div class="blockof code">permission granted to make and use derivative works provided that such works
are identified as &quot;derived from the RSA Data Security, Inc. MD5 Message-Digest
Algorithm&quot; in all material mentioning or referencing the derived work.
</div>

<a id="15.0.0.0.11" href="#"></a>
<a id="15.stuartlangridge" href="#"></a>
<a id="stuartlangridge" href="#"></a>
<h5 class="head"><span class="text">Stuart Langridge</span></h5>

<p> SortTable version 2
<br> Stuart Langridge, http://www.kryogenix.org/code/browser/sorttable/

<div class="blockof code">Thanks to many, many people for contributions and suggestions.
Licenced as X11: <a class="link blank" target="_blank" href="http://www.kryogenix.org/code/browser/licence.html">http://www.kryogenix.org/code/browser/licence.html</a>
This basically means: do what you want with it.
</div>

<a id="15.0.0.0.12" href="#"></a>
<a id="15.tatsuhirotsujikawa" href="#"></a>
<a id="tatsuhirotsujikawa" href="#"></a>
<h5 class="head"><span class="text">Tatsuhiro Tsujikawa</span></h5>

<p> nghttp2 - HTTP/2 C Library
<br> Tatsuhiro Tsujikawa, <a class="link blank" target="_blank" href="https://github.com/tatsuhiro-t">https://github.com/tatsuhiro-t</a>

<div class="blockof code">Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the &quot;Software&quot;), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
</div>

<p> <span class="high bold">VSI OpenVMS</span>,
<span class="high bold">VSI TCP/IP Services for OpenVMS</span>,
<span class="high bold">VSI C</span>

<br> are registered trademarks of VMS Software Inc. 

<p> <span class="high bold">OpenVMS</span>,
<span class="high bold">HP TCP/IP Services for OpenVMS</span>,
<span class="high bold">HP C</span>,
<span class="high bold">Alpha</span>,
<span class="high bold">Itanium</span> and
<span class="high bold">VAX</span>

<br> are registered trademarks of Hewlett Packard Enterprise 

<p> <span class="high bold">MultiNet</span> and <span class="high bold">TCPware</span> are registered trademarks of Process Software
Corporation

<table class="NAVtable NAVprint"><tr>
<td><a href="javascript:window.history.back();">&#8617;&#xFE0E;</a>
<td><a href="#14.">&#8598;&#xFE0E;</a>
<td><a href="#0.">&#8593;&#xFE0E;</a>
<td><a>&#8600;&#xFE0E;</a>
<td><a href="javascript:window.history.forward();">&#8618;&#xFE0E;</a>
</table>
<title>WASD Features and Facilities</title>