[0001] [0002] [0003] [0004] [0005] [0006] [0007] [0008] [0009] [0010] [0011] [0012] [0013] [0014] [0015] [0016] [0017] [0018] [0019] [0020] [0021] [0022] [0023] [0024] [0025] [0026] [0027] [0028] [0029] [0030] [0031] [0032] [0033] [0034] [0035] [0036] [0037] [0038] [0039] [0040] [0041] [0042] [0043] [0044] [0045] [0046] [0047] [0048] [0049] [0050] [0051] [0052] [0053] [0054] [0055] [0056] [0057] [0058] [0059] [0060] [0061] [0062] [0063] [0064] [0065] [0066] [0067] [0068] [0069] [0070] [0071] [0072] [0073] [0074] [0075] [0076] [0077] [0078] [0079] [0080] [0081] [0082] [0083] [0084] [0085] [0086] [0087] [0088] [0089] [0090] [0091] [0092] [0093] [0094] [0095] [0096] [0097] [0098] [0099] [0100] [0101] [0102] [0103] [0104] [0105] [0106] [0107] [0108] [0109] [0110] [0111] [0112] [0113] [0114] [0115] [0116] [0117] [0118] [0119] [0120] [0121] [0122] [0123] [0124] [0125] [0126] [0127] [0128] [0129] [0130] [0131] [0132] [0133] [0134] [0135] [0136] [0137] [0138] [0139] [0140] [0141] [0142] [0143] [0144] [0145] [0146] [0147] [0148] [0149] [0150] [0151] [0152] [0153] [0154] [0155] [0156] [0157] [0158] [0159] [0160] [0161] [0162] [0163] [0164] [0165] [0166] [0167] [0168] [0169] [0170] [0171] [0172] [0173] [0174] [0175] [0176] [0177] [0178] [0179] [0180] [0181] [0182] [0183] [0184] [0185] [0186] [0187] [0188] [0189] [0190] [0191] [0192] [0193] [0194] [0195] [0196] [0197] [0198] [0199] [0200] [0201] [0202] [0203] [0204] [0205] [0206] [0207] [0208] [0209] [0210] [0211] [0212] [0213] [0214] [0215] [0216] [0217] [0218] [0219] [0220] [0221] [0222] [0223] [0224] [0225] [0226] [0227] [0228] [0229] [0230] [0231] [0232] [0233] [0234] [0235] [0236] [0237] [0238] [0239] [0240] [0241] [0242] [0243] [0244] [0245] [0246] [0247] [0248] [0249] [0250] [0251] [0252] [0253] [0254] [0255] [0256] [0257] [0258] [0259] [0260] [0261] [0262] [0263] [0264] [0265] [0266] [0267] [0268] [0269] [0270] [0271] [0272] [0273] [0274] [0275] [0276] [0277] [0278] [0279] [0280] [0281] [0282] [0283] [0284] [0285] [0286] [0287] [0288] [0289] [0290] [0291] [0292] [0293] [0294] [0295] [0296] [0297] [0298] [0299] [0300] [0301] [0302] [0303] [0304] [0305] [0306] [0307] [0308] [0309] [0310] [0311] [0312] [0313] [0314] [0315] [0316] [0317] [0318] [0319] [0320] [0321] [0322] [0323] [0324] [0325] [0326] [0327] [0328] [0329] [0330] [0331] [0332] [0333] [0334] [0335] [0336] [0337] [0338] [0339] [0340] [0341] [0342] [0343] [0344] [0345] [0346] [0347] [0348] [0349] [0350] [0351] [0352] [0353] [0354] [0355] [0356] [0357] [0358] [0359] [0360] [0361] [0362] [0363] [0364] [0365] [0366] [0367] [0368] [0369] [0370] [0371] [0372] [0373] [0374] [0375] [0376] [0377] [0378] [0379] [0380] [0381] [0382] [0383] [0384] [0385] [0386] [0387] [0388] [0389] [0390] [0391] [0392] [0393] [0394] [0395] [0396] [0397] [0398] [0399] [0400] [0401] [0402] [0403] [0404] [0405] [0406] [0407] [0408] [0409] [0410] [0411] [0412] [0413] [0414] [0415] [0416] [0417] [0418] [0419] [0420] [0421] [0422] [0423] [0424] [0425] [0426] [0427] [0428] [0429] [0430] [0431] [0432] [0433] [0434] [0435] [0436] [0437] [0438] [0439] [0440] [0441] [0442] [0443] [0444] [0445] [0446] [0447] [0448] [0449] [0450] [0451] [0452] [0453] [0454] [0455] [0456] [0457] [0458] [0459] [0460] [0461] [0462] [0463] [0464] [0465] [0466] [0467] [0468] [0469] [0470] [0471] [0472] [0473] [0474] [0475] [0476] [0477] [0478] [0479] [0480] [0481] [0482] [0483] [0484] [0485] [0486] [0487] [0488] [0489] [0490] [0491] [0492] [0493] [0494] [0495] [0496] [0497] [0498] [0499] [0500] [0501] [0502] [0503] [0504] [0505] [0506] [0507] [0508] [0509] [0510] [0511] [0512] [0513] [0514] [0515] [0516] [0517] [0518] [0519] [0520] [0521] [0522] [0523] [0524] [0525] [0526] [0527] [0528] [0529] [0530] [0531] [0532] [0533] [0534] [0535] [0536] [0537] [0538] [0539] [0540] [0541] [0542] [0543] [0544] [0545] [0546] [0547] [0548] [0549] [0550] [0551] [0552] [0553] [0554] [0555] [0556] [0557] [0558] [0559] [0560] [0561] [0562] [0563] [0564] [0565] [0566] [0567] [0568] [0569] [0570] [0571] [0572] [0573] [0574] [0575] [0576] [0577] [0578] [0579] [0580] [0581] [0582] [0583] [0584] [0585] [0586] [0587] [0588] [0589] [0590] [0591] [0592] [0593] [0594] [0595] [0596] [0597] [0598] [0599] [0600] [0601] [0602] [0603] [0604] [0605] [0606] [0607] [0608] [0609] [0610] [0611] [0612] [0613] [0614] [0615] [0616] [0617] [0618] [0619] [0620] [0621] [0622] [0623] [0624] [0625] [0626] [0627] [0628] [0629] [0630] [0631] [0632] [0633] [0634] [0635] [0636] [0637] [0638] [0639] [0640] [0641] [0642] [0643] [0644] [0645] [0646] [0647] [0648] [0649] [0650] [0651] [0652] [0653] [0654] [0655] [0656] [0657] [0658] [0659] [0660] [0661] [0662] [0663] [0664] [0665] [0666] [0667] [0668] [0669] [0670] [0671] [0672] [0673] [0674] [0675] [0676] [0677] [0678] [0679] [0680] [0681] [0682] [0683] [0684] [0685] [0686] [0687] [0688] [0689] [0690] [0691] [0692] [0693] [0694] [0695] [0696] [0697] [0698] [0699] [0700] [0701] [0702] [0703] [0704] [0705] [0706] [0707] [0708] [0709] [0710] [0711] [0712] [0713] [0714] [0715] [0716] [0717] [0718] [0719] [0720] [0721] [0722] [0723] [0724] [0725] [0726] [0727] [0728] [0729] [0730] [0731] [0732] [0733] [0734] [0735] [0736] [0737] [0738] [0739] [0740] [0741] [0742] [0743] [0744] [0745] [0746] [0747] [0748] [0749] [0750] [0751] [0752] [0753] [0754] [0755] [0756] [0757] [0758] [0759] [0760] [0761] [0762] [0763] [0764] [0765] [0766] [0767] [0768] [0769] [0770] [0771] [0772] [0773] [0774] [0775] [0776] [0777] [0778] [0779] [0780] [0781] [0782] [0783] [0784] [0785] [0786] [0787] [0788] [0789] [0790] [0791] [0792] [0793] [0794] [0795] [0796] [0797] [0798] [0799] [0800] [0801] [0802] [0803] [0804] [0805] [0806] [0807] [0808] [0809] [0810] [0811] [0812] [0813] [0814] [0815] [0816] [0817] [0818] [0819] [0820] [0821] [0822] [0823] [0824] [0825] [0826] [0827] [0828] [0829] [0830] [0831] [0832] [0833] [0834] [0835] [0836] [0837] [0838] [0839] [0840] [0841] [0842] [0843] [0844] [0845] [0846] [0847] [0848] [0849] [0850] [0851] [0852] [0853] [0854] [0855] [0856] [0857] [0858] [0859] [0860] [0861] [0862] [0863] [0864] [0865] [0866] [0867] [0868] [0869] [0870] [0871] [0872] [0873] [0874] [0875] [0876] [0877] [0878] [0879] [0880] [0881] [0882] [0883] [0884] [0885] [0886] [0887] [0888] [0889] [0890] [0891] [0892] [0893] [0894] [0895] [0896] [0897] [0898] [0899] [0900] [0901] [0902] [0903] [0904] [0905] [0906] [0907] [0908] [0909] [0910] [0911] [0912] [0913] [0914] [0915] [0916] [0917] [0918] [0919] [0920] [0921] [0922] [0923] [0924] [0925] [0926] [0927] [0928] [0929] [0930] [0931] [0932] [0933] [0934] [0935] [0936] [0937] [0938] [0939] [0940] [0941] [0942] [0943] [0944] [0945] [0946] [0947] [0948] [0949] [0950] [0951] [0952] [0953] [0954] [0955] [0956] [0957] [0958] [0959] [0960] [0961] [0962] [0963] [0964] [0965] [0966] [0967] [0968] [0969] [0970] [0971] [0972] [0973] [0974] [0975] [0976] [0977] [0978] [0979] [0980] [0981] [0982] [0983] [0984] [0985] [0986] [0987] [0988] [0989] [0990] [0991] [0992] [0993] [0994] [0995] [0996] [0997] [0998] [0999] [1000] [1001] [1002] [1003] [1004] [1005] [1006] [1007] [1008] [1009] [1010] [1011] [1012] [1013] [1014] [1015] [1016] [1017] [1018] [1019] [1020] [1021] [1022] [1023] [1024] [1025] [1026] [1027] [1028] [1029] [1030] [1031] [1032] [1033] [1034] [1035] [1036] [1037] [1038] [1039] [1040] [1041] [1042] [1043] [1044] [1045] [1046] [1047] [1048] [1049] [1050] [1051] [1052] [1053] [1054] [1055] [1056] [1057] [1058] [1059] [1060] [1061] [1062] [1063] [1064] [1065] [1066] [1067] [1068] [1069] [1070] [1071] [1072] [1073] [1074] [1075] [1076] [1077] [1078] [1079] [1080] [1081] [1082] [1083] [1084] [1085] [1086] [1087] [1088] [1089] [1090] [1091] [1092] [1093] [1094] [1095] [1096] [1097] [1098] [1099] [1100] [1101] [1102] [1103] [1104] [1105] [1106] [1107] [1108] [1109] [1110] [1111] [1112] [1113] [1114] [1115] [1116] [1117] [1118] [1119] [1120] [1121] [1122] [1123] [1124] [1125] [1126] [1127] [1128] [1129] [1130] [1131] [1132] [1133] [1134] [1135] [1136] [1137] [1138] [1139] [1140] [1141] [1142] [1143] [1144] [1145] [1146] [1147] [1148] [1149] [1150] [1151] [1152] [1153] [1154] [1155] [1156] [1157] [1158] [1159] [1160] [1161] [1162] [1163] [1164] [1165] [1166] [1167] [1168] [1169] [1170] [1171] [1172] [1173] [1174] [1175] [1176] [1177] [1178] [1179] [1180] [1181] [1182] [1183] [1184] [1185] [1186] [1187] [1188] [1189] [1190] [1191] [1192] [1193] [1194] [1195] [1196] [1197] [1198] [1199] [1200] [1201] [1202] [1203] [1204] [1205] [1206] [1207] [1208] [1209] [1210] [1211] [1212] [1213] [1214] [1215] [1216] [1217] [1218] [1219] [1220] [1221] [1222] [1223] [1224] [1225] [1226] [1227] [1228] [1229] [1230] [1231] [1232] [1233] [1234] [1235] [1236] [1237] [1238] [1239] [1240] [1241] [1242] [1243] [1244] [1245] [1246] [1247] [1248] [1249] [1250] [1251] [1252] [1253] [1254] [1255] [1256] [1257] [1258] [1259] [1260] [1261] [1262] [1263] [1264] [1265] [1266] [1267] [1268] [1269] [1270] [1271] [1272] [1273] [1274] [1275] [1276] [1277] [1278] [1279] [1280] [1281] [1282] [1283] [1284] [1285] [1286] [1287] [1288] [1289] [1290] [1291] [1292] [1293] [1294] [1295] [1296] [1297] [1298] [1299] [1300] [1301] [1302] [1303] [1304] [1305] [1306] [1307] [1308] [1309] [1310] [1311] [1312] [1313] [1314] [1315] [1316] [1317] [1318] [1319] [1320] [1321] [1322] [1323] [1324] [1325] [1326] [1327] [1328] [1329] [1330] [1331] [1332] [1333] [1334] [1335] [1336] [1337] [1338] [1339] [1340] [1341] [1342] [1343] [1344] [1345] [1346] [1347] [1348] [1349] [1350] [1351] [1352] [1353] [1354] [1355] [1356] [1357] [1358] [1359] [1360] [1361] [1362] [1363] [1364] [1365] [1366] [1367] [1368] [1369] [1370] [1371] [1372] [1373] [1374] [1375] [1376] [1377] [1378] [1379] [1380] [1381] [1382] [1383] [1384] [1385] [1386] [1387] [1388] [1389] [1390] [1391] [1392] [1393] [1394] [1395] [1396] [1397] [1398] [1399] [1400] [1401] [1402] [1403] [1404] [1405] [1406] [1407] [1408] [1409] [1410] [1411] [1412] [1413] [1414] [1415] [1416] [1417] [1418] [1419] [1420] [1421] [1422] [1423] [1424] [1425] [1426] [1427] [1428] [1429] [1430] [1431] [1432] [1433] [1434] [1435] [1436] [1437] [1438] [1439] [1440] [1441] [1442] [1443] [1444] [1445] [1446] [1447] [1448] [1449] [1450] [1451] [1452] [1453] [1454] [1455] [1456] [1457] [1458] [1459] [1460] [1461] [1462] [1463] [1464] [1465] [1466] [1467] [1468] [1469] [1470] [1471] [1472] [1473] [1474] [1475] [1476] [1477] [1478] [1479] [1480] [1481] [1482] [1483] [1484] [1485] [1486] [1487] [1488] [1489] [1490] [1491] [1492] [1493] [1494] [1495] [1496] [1497] [1498] [1499] [1500] [1501] [1502] [1503] [1504] [1505] [1506] [1507] [1508] [1509] [1510] [1511] [1512] [1513] [1514] [1515] [1516] [1517] [1518] [1519] [1520] [1521] [1522] [1523] [1524] [1525] [1526] [1527] [1528] [1529] [1530] [1531] [1532] [1533] [1534] [1535] [1536] [1537] [1538] [1539] [1540] [1541] [1542] [1543] [1544] [1545] [1546] [1547] [1548] [1549] [1550] [1551] [1552] [1553] [1554] [1555] [1556] [1557] [1558] [1559] [1560] [1561] [1562] [1563] [1564] [1565] [1566] [1567] [1568] [1569] [1570] [1571] [1572] [1573] [1574] [1575] [1576] [1577] [1578] [1579] [1580] [1581] [1582] [1583] [1584] [1585] [1586] [1587] [1588] [1589] [1590] [1591] [1592] [1593] [1594] [1595] [1596] [1597] [1598] [1599] [1600] [1601] [1602] [1603] [1604] [1605] [1606] [1607] [1608] [1609] [1610] [1611] [1612] [1613] [1614] [1615] [1616] [1617] [1618] [1619] [1620] [1621] [1622] [1623] [1624] [1625] [1626] [1627] [1628] [1629] [1630] [1631] [1632] [1633] [1634] [1635] [1636] [1637] [1638] [1639] [1640] [1641] [1642] [1643] [1644] [1645] [1646] [1647] [1648] [1649] [1650] [1651] [1652] [1653] [1654] [1655] [1656] [1657] [1658] [1659] [1660] [1661] [1662] [1663] [1664] [1665] [1666] [1667] [1668] [1669] [1670] [1671] [1672] [1673] [1674] [1675] [1676] [1677] [1678] [1679] [1680] [1681] [1682] [1683] [1684] [1685] [1686] [1687] [1688] [1689] [1690] [1691] [1692] [1693] [1694] [1695] [1696] [1697] [1698] [1699] [1700] [1701] [1702] [1703] [1704] [1705] [1706] [1707] [1708] [1709] [1710] [1711] [1712] [1713] [1714] [1715] [1716] [1717] [1718] [1719] [1720] [1721] [1722] [1723] [1724] [1725] [1726] [1727] [1728] [1729] [1730] [1731] [1732] [1733] [1734] [1735] [1736] [1737] [1738] [1739] [1740] [1741] [1742] [1743] [1744] [1745] [1746] [1747] [1748] [1749] [1750] [1751] [1752] [1753] [1754] [1755] [1756] [1757] [1758] [1759] [1760] [1761] [1762] [1763] [1764] [1765] [1766] [1767] [1768] [1769] [1770] [1771] [1772] [1773] [1774] [1775] [1776] [1777] [1778] [1779] [1780] [1781] [1782] [1783] [1784] [1785] [1786] [1787] [1788] [1789] [1790] [1791] [1792] [1793] [1794] [1795] [1796] [1797] [1798] [1799] [1800] [1801] [1802] [1803] [1804] [1805] [1806] [1807] [1808] [1809] [1810] [1811] [1812] [1813] [1814] [1815] [1816] [1817] [1818] [1819] [1820] [1821] [1822] [1823] [1824] [1825] [1826] [1827] [1828] [1829] [1830] [1831] [1832] [1833] [1834] [1835] [1836] [1837] [1838] [1839] [1840] [1841] [1842] [1843] [1844] [1845] [1846] [1847] [1848] [1849] [1850] [1851] [1852] [1853] [1854] [1855] [1856] [1857] [1858] [1859] [1860] [1861] [1862] [1863] [1864] [1865] [1866] [1867] [1868] [1869] [1870] [1871] [1872] [1873] [1874] [1875] [1876] [1877] [1878] [1879] [1880] [1881] [1882] [1883] [1884] [1885] [1886] [1887] [1888] [1889] [1890] [1891] [1892] [1893] [1894] [1895] [1896] [1897] [1898] [1899] [1900] [1901] [1902] [1903] [1904] [1905] [1906] [1907] [1908] [1909] [1910] [1911] [1912] [1913] [1914] [1915] [1916] [1917] [1918] [1919] [1920] [1921] [1922] [1923] [1924] [1925] [1926] [1927] [1928] [1929] [1930] [1931] [1932] [1933] [1934] [1935] [1936] [1937] [1938] [1939] [1940] [1941] [1942] [1943] [1944] [1945] [1946] [1947] [1948] [1949] [1950] [1951] [1952] [1953] [1954] [1955] [1956] [1957] [1958] [1959] [1960] [1961] [1962] [1963] [1964] [1965] [1966] [1967] [1968] [1969] [1970] [1971] [1972] [1973] [1974] [1975] [1976] [1977] [1978] [1979] [1980] [1981] [1982] [1983] [1984] [1985] [1986] [1987] [1988] [1989] [1990] [1991] [1992] [1993] [1994] [1995] [1996] [1997] [1998] [1999] [2000] [2001] [2002] [2003] [2004] [2005] [2006] [2007] [2008] [2009] [2010] [2011] [2012] [2013] [2014] [2015] [2016] [2017] [2018] [2019] [2020] [2021] [2022] [2023] [2024] [2025] [2026] [2027] [2028] [2029] [2030] [2031] [2032] [2033] [2034] [2035] [2036] [2037] [2038] [2039] [2040] [2041] [2042] [2043] [2044] [2045] [2046] [2047] [2048] [2049] [2050] [2051] [2052] [2053] [2054] [2055] [2056] [2057] [2058] [2059] [2060] [2061] [2062] [2063] [2064] [2065] [2066] [2067] [2068] [2069] [2070] [2071] [2072] [2073] [2074] [2075] [2076] [2077] [2078] [2079] [2080] [2081] [2082] [2083] [2084] [2085] [2086] [2087] [2088] [2089] [2090] [2091] [2092] [2093] [2094] [2095] [2096] [2097] [2098] [2099] [2100] [2101] [2102] [2103] [2104] [2105] [2106] [2107] [2108] [2109] [2110] [2111] [2112] [2113] [2114] [2115] [2116] [2117] [2118] [2119] [2120] [2121] [2122] [2123] [2124] [2125] [2126] [2127] [2128] [2129] [2130] [2131] [2132] [2133] [2134] [2135] [2136] [2137] [2138] [2139] [2140] [2141] [2142] [2143] [2144] [2145] [2146] [2147] [2148] [2149] [2150] [2151] [2152] [2153] [2154] [2155] [2156] [2157] [2158] [2159] [2160] [2161] [2162] [2163] [2164] [2165] [2166] [2167] [2168] [2169] [2170] [2171] [2172] [2173] [2174] [2175] [2176] [2177] [2178] [2179] [2180] [2181] [2182] [2183] [2184] [2185] [2186] [2187] [2188] [2189] [2190] [2191] [2192] [2193] [2194] [2195] [2196] [2197] [2198] [2199] [2200] [2201] [2202] [2203] [2204] [2205] [2206] [2207] [2208] [2209] [2210] [2211] [2212] [2213] [2214] [2215] [2216] [2217] [2218] [2219] [2220] [2221] [2222] [2223] [2224] [2225] [2226] [2227] [2228] [2229] [2230] [2231] [2232] [2233] [2234] [2235] [2236] [2237] [2238] [2239] [2240] [2241] [2242] [2243] [2244] [2245] [2246] [2247] [2248] [2249] [2250] [2251] [2252] [2253] [2254] [2255] [2256] [2257] [2258] [2259] [2260] [2261] [2262] [2263] [2264] [2265] [2266] [2267] [2268] [2269] [2270] [2271] [2272] [2273] [2274] [2275] [2276] [2277] [2278] [2279] [2280] [2281] [2282] [2283] [2284] [2285] [2286] [2287] [2288] [2289] [2290] [2291] [2292] [2293] [2294] [2295] [2296] [2297] [2298] [2299] [2300] [2301] [2302] [2303] [2304] [2305] [2306] [2307] [2308] [2309] [2310] [2311] [2312] [2313] [2314] [2315] [2316] [2317] [2318] [2319] [2320] [2321] [2322] [2323] [2324] [2325] [2326] [2327] [2328] [2329] [2330] [2331] [2332] [2333] [2334] [2335] [2336] [2337] [2338] [2339] [2340] [2341] [2342] [2343] [2344] [2345] [2346] [2347] [2348] [2349] [2350] [2351] [2352] [2353] [2354] [2355] [2356] [2357] [2358] [2359] [2360] [2361] [2362] [2363] [2364] [2365] [2366] [2367] [2368] [2369] [2370] [2371] [2372] [2373] [2374] [2375] [2376] [2377] [2378] [2379] [2380] [2381] [2382] [2383] [2384] [2385] [2386] [2387] [2388] [2389] [2390] [2391] [2392] [2393] [2394] [2395] [2396] [2397] [2398] [2399] [2400] [2401] [2402] [2403] [2404] [2405] [2406] [2407] [2408] [2409] [2410] [2411] [2412] [2413] [2414] [2415] [2416] [2417] [2418] [2419] [2420] [2421] [2422] [2423] [2424] [2425] [2426] [2427] [2428] [2429] [2430] [2431] [2432] [2433] [2434] [2435] [2436] [2437] [2438] [2439] [2440] [2441] [2442] [2443] [2444] [2445] [2446] [2447] [2448] [2449] [2450] [2451] [2452] [2453] [2454] [2455] [2456] [2457] [2458] [2459] [2460] [2461] [2462] [2463] [2464] [2465] [2466] [2467] [2468] [2469] [2470] [2471] [2472] [2473] [2474] [2475] [2476] [2477] [2478] [2479] [2480] [2481] [2482] [2483] [2484] [2485] [2486] [2487] [2488] [2489] [2490] [2491] [2492] [2493] [2494] [2495] [2496] [2497] [2498] [2499] [2500] [2501] [2502] [2503] [2504] [2505] [2506] [2507] [2508] [2509] [2510] [2511] [2512] [2513] [2514] [2515] [2516] [2517] [2518] [2519] [2520] [2521] [2522] [2523] [2524] [2525] [2526] [2527] [2528] [2529] [2530] [2531] [2532] [2533] [2534] [2535] [2536] [2537] [2538] [2539] [2540] [2541] [2542] [2543] [2544] [2545] [2546] [2547] [2548] [2549] [2550] [2551] [2552] [2553] [2554] [2555] [2556] [2557] [2558] [2559] [2560] [2561] [2562] [2563] [2564] [2565] [2566] [2567] [2568] [2569] [2570] [2571] [2572] [2573] [2574] [2575] [2576] [2577] [2578] [2579] [2580] [2581] [2582] [2583] [2584] [2585] [2586] [2587] [2588] [2589] [2590] [2591] [2592] [2593] [2594] [2595] [2596] [2597] [2598] [2599] [2600] [2601] [2602] [2603] [2604] [2605] [2606] [2607] [2608] [2609] [2610] [2611] [2612] [2613] [2614] [2615] [2616] [2617] [2618] [2619] [2620] [2621] [2622] [2623] [2624] [2625] [2626] [2627] [2628] [2629] [2630] [2631] [2632] [2633] [2634] [2635] [2636] [2637] [2638] [2639] [2640] [2641] [2642] [2643] [2644] [2645] [2646] [2647] [2648] [2649] [2650] [2651] [2652] [2653] [2654] [2655] [2656] [2657] [2658] [2659] [2660] [2661] [2662] [2663] [2664] [2665] [2666] [2667] [2668] [2669] [2670] [2671] [2672] [2673] [2674] [2675] [2676] [2677] [2678] [2679] [2680] [2681] [2682] [2683] [2684] [2685] [2686] [2687] [2688] [2689] [2690] [2691] [2692] [2693] [2694] [2695] [2696] [2697] [2698] [2699] [2700] [2701] [2702] [2703] [2704] [2705] [2706] [2707] [2708] [2709] [2710] [2711] [2712] [2713] [2714] [2715] [2716] [2717] [2718] [2719] [2720] [2721] [2722] [2723] [2724] [2725] [2726] [2727] [2728] [2729] [2730] [2731] [2732] [2733] [2734] [2735] [2736] [2737] [2738] [2739] [2740] [2741] [2742] [2743] [2744] [2745] [2746] [2747] [2748] [2749] [2750] [2751] [2752] [2753] [2754] [2755] [2756] [2757] [2758] [2759] [2760] [2761] [2762] [2763] [2764] [2765] [2766] [2767] [2768] [2769] [2770] [2771] [2772] [2773] [2774] [2775] [2776] [2777] [2778] [2779] [2780] [2781] [2782] [2783] [2784] [2785] [2786] [2787] [2788] [2789] [2790] [2791] [2792] [2793] [2794] [2795] [2796] [2797] [2798] [2799] [2800] [2801] [2802] [2803] [2804] [2805] [2806] [2807] [2808] [2809] [2810] [2811] [2812] [2813] [2814] [2815] [2816] [2817] [2818] [2819] [2820] [2821] [2822] [2823] [2824] [2825] [2826] [2827] [2828] [2829] [2830] [2831] [2832] [2833] [2834] [2835] [2836] [2837] [2838] [2839] [2840] [2841] [2842] [2843] [2844] [2845] [2846] [2847] [2848] [2849] [2850] [2851] [2852] [2853] [2854] [2855] [2856] [2857] [2858] [2859] [2860] [2861] [2862] [2863] [2864] [2865] [2866] [2867] [2868] [2869] [2870] [2871] [2872] [2873] [2874] [2875] [2876] [2877] [2878] [2879] [2880] [2881] [2882] [2883] [2884] [2885] [2886] [2887] [2888] [2889] [2890] [2891] [2892] [2893] [2894] [2895] [2896] [2897] [2898] [2899] [2900] [2901] [2902] [2903] [2904] [2905] [2906] [2907] [2908] [2909] [2910] [2911] [2912] [2913] [2914] [2915] [2916] [2917] [2918] [2919] [2920] [2921] [2922] [2923] [2924] [2925] [2926] [2927] [2928] [2929] [2930] [2931] [2932] [2933] [2934] [2935] [2936] [2937] [2938] [2939] [2940] [2941] [2942] [2943] [2944] [2945] [2946] [2947] [2948] [2949] [2950] [2951] [2952] [2953] [2954] [2955] [2956] [2957] [2958] [2959] [2960] [2961] [2962] [2963] [2964] [2965] [2966] [2967] [2968] [2969] [2970] [2971] [2972] [2973] [2974] [2975] [2976] [2977] [2978] [2979] [2980] [2981] [2982] [2983] [2984] [2985] [2986] [2987] [2988] [2989] [2990] [2991] [2992] [2993] [2994] [2995] [2996] [2997] [2998] [2999] [3000] [3001] [3002] [3003] [3004] [3005] [3006] [3007] [3008] [3009] [3010] [3011] [3012] [3013] [3014] [3015] [3016] [3017] [3018] [3019] [3020] [3021] [3022] [3023] [3024] [3025] [3026] [3027] [3028] [3029] [3030] [3031] [3032] [3033] [3034] [3035] [3036] [3037] [3038] [3039] [3040] [3041] [3042] [3043] [3044] [3045] [3046] [3047] [3048] [3049] [3050] [3051] [3052] [3053] [3054] [3055] [3056] [3057] [3058] [3059] [3060] [3061] [3062] [3063] [3064] [3065] [3066] [3067] [3068] [3069] [3070] [3071] [3072] [3073] [3074] [3075] [3076] [3077] [3078] [3079] [3080] [3081] [3082] [3083] [3084] [3085] [3086] [3087] [3088] [3089] [3090] [3091] [3092] [3093] [3094] [3095] [3096] [3097] [3098] [3099] [3100] [3101] [3102] [3103] [3104] [3105] [3106] [3107] [3108] [3109] [3110] [3111] [3112] [3113] [3114] [3115] [3116] [3117] [3118] [3119] [3120] [3121] [3122] [3123] [3124] [3125] [3126] [3127] [3128] [3129] [3130] [3131] [3132] [3133] [3134] [3135] [3136] [3137] [3138] [3139] [3140] [3141] [3142] [3143] [3144] [3145] [3146] [3147] [3148] [3149] [3150] [3151] [3152] [3153] [3154] [3155] [3156] [3157] [3158] [3159] [3160] [3161] [3162] [3163] [3164] [3165] [3166] [3167] [3168] [3169] [3170] [3171] [3172] [3173] [3174] [3175] [3176] [3177] [3178] [3179] [3180] [3181] [3182] [3183] [3184] [3185] [3186] [3187] [3188] [3189] [3190] [3191] [3192] [3193] [3194] [3195] [3196] [3197] [3198] [3199] [3200] [3201] [3202] [3203] [3204] [3205] [3206] [3207] [3208] [3209] [3210] [3211] [3212] [3213] [3214] [3215] [3216] [3217] [3218] [3219] [3220] [3221] [3222] [3223] [3224] [3225] [3226] [3227] [3228] [3229] [3230] [3231] [3232] [3233] [3234] [3235] [3236] [3237] [3238] [3239] [3240] [3241] [3242] [3243] [3244] [3245] [3246] [3247] [3248] [3249] [3250] [3251] [3252] [3253] [3254] [3255] [3256] [3257] [3258] [3259] [3260] [3261] [3262] [3263] [3264] [3265] [3266] [3267] [3268] [3269] [3270] [3271] [3272] [3273] [3274] [3275] [3276] [3277] [3278] [3279] [3280] [3281] [3282] [3283] [3284] [3285] [3286] [3287] [3288] [3289] [3290] [3291] [3292] [3293] [3294] [3295] [3296] [3297] [3298] [3299] [3300] [3301] [3302] [3303] [3304] [3305] [3306] [3307] [3308] [3309] [3310] [3311] [3312] [3313] [3314] [3315] [3316] [3317] [3318] [3319] [3320] [3321] [3322] [3323] [3324] [3325] [3326] [3327] [3328] [3329] [3330] [3331] [3332] [3333] [3334] [3335] [3336] [3337] [3338] [3339] [3340] [3341] [3342] [3343] [3344] [3345] [3346] [3347] [3348] [3349] [3350] [3351] [3352] [3353] [3354] [3355] [3356] [3357] [3358] [3359] [3360] [3361] [3362] [3363] [3364] [3365] [3366] [3367] [3368] [3369] [3370] [3371] [3372] [3373] [3374] [3375] [3376] [3377] [3378] [3379] [3380] [3381] [3382] [3383] [3384] [3385] [3386] [3387] [3388] [3389] [3390] [3391] [3392] [3393] [3394] [3395] [3396] [3397] [3398] [3399] [3400] [3401] [3402] [3403] [3404] [3405] [3406] [3407] [3408] [3409] [3410] [3411] [3412] [3413] [3414] [3415] [3416] [3417] [3418] [3419] [3420] [3421] [3422] [3423] [3424] [3425] [3426] [3427] [3428] [3429] [3430] [3431] [3432] [3433] [3434] [3435] [3436] [3437] [3438] [3439] [3440] [3441] [3442] [3443] [3444] [3445] [3446] [3447] [3448] [3449] [3450] [3451] [3452] [3453] [3454] [3455] [3456] [3457] [3458] [3459] [3460] [3461] [3462] [3463] [3464] [3465] [3466] [3467] [3468] [3469] [3470] [3471] [3472] [3473] [3474] [3475] [3476] [3477] [3478] [3479] [3480] [3481] [3482] [3483] [3484] [3485] [3486] [3487] [3488] [3489] [3490] [3491] [3492] [3493] [3494] [3495] [3496] [3497] [3498] [3499] [3500] [3501] [3502] [3503] [3504] [3505] [3506] [3507] [3508] [3509] [3510] [3511] [3512] [3513] [3514] [3515] [3516] [3517] [3518] [3519] [3520] [3521] [3522] [3523] [3524] [3525] [3526] [3527] [3528] [3529] [3530] [3531] [3532] [3533] [3534] [3535] [3536] [3537] [3538] [3539] [3540] [3541] [3542] [3543] [3544] [3545] [3546] [3547] [3548] [3549] [3550] [3551] [3552] [3553] [3554] [3555] [3556] [3557] [3558] [3559] [3560] [3561] [3562] [3563] [3564] [3565] [3566] [3567] [3568] [3569] [3570] [3571] [3572] [3573] [3574] [3575] [3576] [3577] [3578] [3579] [3580] [3581] [3582] [3583] [3584] [3585] [3586] [3587] [3588] [3589] [3590] [3591] [3592] [3593] [3594] [3595] [3596] [3597] [3598] [3599] [3600] [3601] [3602] [3603] [3604] [3605] [3606] [3607] [3608] [3609] [3610] [3611] [3612] [3613] [3614] [3615] [3616] [3617] [3618] [3619] [3620] [3621] [3622] [3623] [3624] [3625] [3626] [3627] [3628] [3629] [3630] [3631] [3632] [3633] [3634] [3635] [3636] [3637] [3638] [3639] [3640] [3641] [3642] [3643] [3644] [3645] [3646] [3647] [3648] [3649] [3650] [3651] [3652] [3653] [3654] [3655] [3656] [3657] [3658] [3659] [3660] [3661] [3662] [3663] [3664] [3665] [3666] [3667] [3668] [3669] [3670] [3671] [3672] [3673] [3674] [3675] [3676] [3677] [3678] [3679] [3680] [3681] [3682] [3683] [3684] [3685] [3686] [3687] [3688] [3689] [3690] [3691] [3692] [3693] [3694] [3695] [3696] [3697] [3698] [3699] [3700] [3701] [3702] [3703] [3704] [3705] [3706] [3707] [3708] [3709] [3710] [3711] [3712] [3713] [3714] [3715] [3716] [3717] [3718] [3719] [3720] [3721] [3722] [3723] [3724] [3725] [3726] [3727] [3728] [3729] [3730] [3731] [3732] [3733] [3734] [3735] [3736] [3737] [3738] [3739] [3740] [3741] [3742] [3743] [3744] [3745] [3746] [3747] [3748] [3749] [3750] [3751] [3752] [3753] [3754] [3755] [3756] [3757] [3758] [3759] [3760] [3761] [3762] [3763] [3764] [3765] [3766] [3767] [3768] [3769] [3770] [3771] [3772] [3773] [3774] [3775] [3776] [3777] [3778] [3779] [3780] [3781] [3782] [3783] [3784] [3785] [3786] [3787] [3788] [3789] [3790] [3791] [3792] [3793] [3794] [3795] [3796] [3797] [3798] [3799] [3800] [3801] [3802] [3803] [3804] [3805] [3806] [3807] [3808] [3809] [3810] [3811] [3812] [3813] [3814] [3815] [3816] [3817] [3818] [3819] [3820] [3821] [3822] [3823] [3824] [3825] [3826] [3827] [3828] [3829] [3830] [3831] [3832] [3833] [3834] [3835] [3836] [3837] [3838] [3839] [3840] [3841] [3842] [3843] [3844] [3845] [3846] [3847] [3848] [3849] [3850] [3851] [3852] [3853] [3854] [3855] [3856] [3857] [3858] [3859] [3860] [3861] [3862] [3863] [3864] [3865] [3866] [3867] [3868] [3869] [3870] [3871] [3872] [3873] [3874] [3875] [3876] [3877] [3878] [3879] [3880] [3881] [3882] [3883] [3884] [3885] [3886] [3887] [3888] [3889] [3890] [3891] [3892] [3893] [3894] [3895] [3896] [3897] [3898] [3899] [3900] [3901] [3902] [3903] [3904] [3905] [3906] [3907] [3908] [3909] [3910] [3911] [3912] [3913] [3914] [3915] [3916] [3917] [3918] [3919] [3920] [3921] [3922] [3923] [3924] [3925] [3926] [3927] [3928] [3929] [3930] [3931] [3932] [3933] [3934] [3935] [3936] [3937] [3938] [3939] [3940] [3941] [3942] [3943] [3944] [3945] [3946] [3947] [3948] [3949] [3950] [3951] [3952] [3953] [3954] [3955] [3956] [3957] [3958] [3959] [3960] [3961] [3962] [3963] [3964] [3965] [3966] [3967] [3968] [3969] [3970] [3971] [3972] [3973] [3974] [3975] [3976] [3977] [3978] [3979] [3980] [3981] [3982] [3983] [3984] [3985] [3986] [3987] [3988] [3989] [3990] [3991] [3992] [3993] [3994] [3995] [3996] [3997] [3998] [3999] [4000] [4001] [4002] [4003] [4004] [4005] [4006] [4007] [4008] [4009] [4010] [4011] [4012] [4013] [4014] [4015] [4016] [4017] [4018] [4019] [4020] [4021] [4022] [4023] [4024] [4025] [4026] [4027] [4028] [4029] [4030] [4031] [4032] [4033] [4034] [4035] [4036] [4037] [4038] [4039] [4040] [4041] [4042] [4043] [4044] [4045] [4046] [4047] [4048] [4049] [4050] [4051] [4052] [4053] [4054] [4055] [4056] [4057] [4058] [4059] [4060] [4061] [4062] [4063] [4064] [4065] [4066] [4067] [4068] [4069] [4070] [4071] [4072] [4073] [4074] [4075] [4076] [4077] [4078] [4079] [4080] [4081] [4082] [4083] [4084] [4085] [4086] [4087] [4088] [4089] [4090] [4091] [4092] [4093] [4094] [4095] [4096] [4097] [4098] [4099] [4100] [4101] [4102] [4103] [4104] [4105] [4106] [4107] [4108] [4109] [4110] [4111] [4112] [4113] [4114] [4115] [4116] [4117] [4118] [4119] [4120] [4121] [4122] [4123] [4124] [4125] [4126] [4127] [4128] [4129] [4130] [4131] [4132] [4133] [4134] [4135] [4136] [4137] [4138] [4139] [4140] [4141] [4142] [4143] [4144] [4145] [4146] [4147] [4148] [4149] [4150] [4151] [4152] [4153] [4154] [4155] [4156] [4157] [4158] [4159] [4160] [4161] [4162] [4163] [4164] [4165] [4166] [4167] [4168] [4169] [4170] [4171] [4172] [4173] [4174] [4175] [4176] [4177] [4178] [4179] [4180] [4181] [4182] [4183] [4184] [4185] [4186] [4187] [4188] [4189] [4190] [4191] [4192] [4193] [4194] [4195] [4196] [4197] [4198] [4199] [4200] [4201] [4202] [4203] [4204] [4205] [4206] [4207] [4208] [4209] [4210] [4211] [4212] [4213] [4214] [4215] [4216] [4217] [4218] [4219] [4220] [4221] [4222] [4223] [4224] [4225] [4226] [4227] [4228] [4229] [4230] [4231] [4232] [4233] [4234] [4235] [4236] [4237] [4238] [4239] [4240] [4241] [4242] [4243] [4244] [4245] [4246] [4247] [4248] [4249] [4250] [4251] [4252] [4253] [4254] [4255] [4256] [4257] [4258] [4259] [4260] [4261] [4262] [4263] [4264] [4265] [4266] [4267] [4268] [4269] [4270] [4271] [4272] [4273] [4274] [4275] [4276] [4277] [4278] [4279] [4280] [4281] [4282] [4283] [4284] [4285] [4286] [4287] [4288] [4289] [4290] [4291] [4292] [4293] [4294] [4295] [4296] [4297] [4298] [4299] [4300] [4301] [4302] [4303] [4304] [4305] [4306] [4307] [4308] [4309] [4310] [4311] [4312] [4313] [4314] [4315] [4316] [4317] [4318] [4319] [4320] [4321] [4322] [4323] [4324] [4325] [4326] [4327] [4328] [4329] [4330] [4331] [4332] [4333] [4334] [4335] [4336] [4337] [4338] [4339] [4340] [4341] [4342] [4343] [4344] [4345] [4346] [4347] [4348] [4349] [4350] [4351] [4352] [4353] [4354] [4355] [4356] [4357] [4358] [4359] [4360] [4361] [4362] [4363] [4364] [4365] [4366] [4367] [4368] [4369] [4370] [4371] [4372] [4373] [4374] [4375] [4376] [4377] [4378] [4379] [4380] [4381] [4382] [4383] [4384] [4385] [4386] [4387] [4388] [4389] [4390] [4391] [4392] [4393] [4394] [4395] [4396] [4397] [4398] [4399] [4400] [4401] [4402] [4403] [4404] [4405] [4406] [4407] [4408] [4409] [4410] [4411] [4412] [4413] [4414] [4415] [4416] [4417] [4418] [4419] [4420] [4421] [4422] [4423] [4424] [4425] [4426] [4427] [4428] [4429] [4430] [4431] [4432] [4433] [4434] [4435] [4436] [4437] [4438] [4439] [4440] [4441] [4442] [4443] [4444] [4445] [4446] [4447] [4448] [4449] [4450] [4451] [4452] [4453] [4454] [4455] [4456] [4457] [4458] [4459] [4460] [4461] [4462] [4463] [4464] [4465] [4466] [4467] [4468] [4469] [4470] [4471] [4472] [4473] [4474] [4475] [4476] [4477] [4478] [4479] [4480] [4481] [4482] [4483] [4484] [4485] [4486] [4487] [4488] [4489] [4490] [4491] [4492] [4493] [4494] [4495] [4496] [4497] [4498] [4499] [4500] [4501] [4502] [4503] [4504] [4505] [4506] [4507] [4508] [4509] [4510] [4511] [4512] [4513] [4514] [4515] [4516] [4517] [4518] [4519] [4520] [4521] [4522] [4523] [4524] [4525] [4526] [4527] [4528] [4529] [4530] [4531] [4532] [4533] [4534] [4535] [4536] [4537] [4538] [4539] [4540] [4541] [4542] [4543] [4544] [4545] [4546] [4547] [4548] [4549] [4550] [4551] [4552] [4553] [4554] [4555] [4556] [4557] [4558] [4559] [4560] [4561] [4562] [4563] [4564] [4565] [4566] [4567] [4568] [4569] [4570] [4571] [4572] [4573] [4574] [4575] [4576] [4577] [4578] [4579] [4580] [4581] [4582] [4583] [4584] [4585] [4586] [4587] [4588] [4589] [4590] [4591] [4592] [4593] [4594] [4595] [4596] [4597] [4598] [4599] [4600] [4601] [4602] [4603] [4604] [4605] [4606] [4607] [4608] [4609] [4610] [4611] [4612] [4613] [4614] [4615] [4616] [4617] [4618] [4619] [4620] [4621] [4622] [4623] [4624] [4625] [4626] [4627] [4628] [4629] [4630] [4631] [4632] [4633] [4634] [4635] [4636] [4637] [4638] [4639] [4640] [4641] [4642] [4643] [4644] [4645] [4646] [4647] [4648] [4649] [4650] [4651] [4652] [4653] [4654] [4655] [4656] [4657] [4658] [4659] [4660] [4661] [4662] [4663] [4664] [4665] [4666] [4667] [4668] [4669] [4670] [4671] [4672] [4673] [4674] [4675] [4676] [4677] [4678] [4679] [4680] [4681] [4682] [4683] [4684] [4685] [4686] [4687] [4688] [4689] [4690] [4691] [4692] [4693] [4694] [4695] [4696] [4697] [4698] [4699] [4700] [4701] [4702] [4703] [4704] [4705] [4706] [4707] [4708] [4709] [4710] [4711] [4712] [4713] [4714] [4715] [4716] [4717] [4718] [4719] [4720] [4721] [4722] [4723] [4724] [4725] [4726] [4727] [4728] [4729] [4730] [4731] [4732] [4733] [4734] [4735] [4736] [4737] [4738] [4739] [4740] [4741] [4742] [4743] [4744] [4745] [4746] [4747] [4748] [4749] [4750] [4751] [4752] [4753] [4754] [4755] [4756] [4757] [4758] [4759] [4760] [4761] [4762] [4763] [4764] [4765] [4766] [4767] [4768] [4769] [4770] [4771] [4772] [4773] [4774] [4775] [4776] [4777] [4778] [4779] [4780] [4781] [4782] [4783] [4784] [4785] [4786] [4787] [4788] [4789] [4790] [4791] [4792] [4793] [4794] [4795] [4796] [4797] [4798] [4799] [4800] [4801] [4802] [4803] [4804] [4805] [4806] [4807] [4808] [4809] [4810] [4811] [4812] [4813] [4814] [4815] [4816] [4817] [4818] [4819] [4820] [4821] [4822] [4823] [4824] [4825] [4826] [4827] [4828] [4829] [4830] [4831] [4832] [4833] [4834] [4835] [4836] [4837] [4838] [4839] [4840] [4841] [4842] [4843] [4844] [4845] [4846] [4847] [4848] [4849] [4850] [4851] [4852] [4853] [4854] [4855] [4856] [4857] [4858] [4859] [4860] [4861] [4862] [4863] [4864] [4865] [4866] [4867] [4868] [4869] [4870] [4871] [4872] [4873] [4874] [4875] [4876] [4877] [4878] [4879] [4880] [4881] [4882] [4883] [4884] [4885] [4886] [4887] [4888] [4889] [4890] [4891] [4892] [4893] [4894] [4895] [4896] [4897] [4898] [4899] [4900] [4901] [4902] [4903] [4904] [4905] [4906] [4907] [4908] [4909] [4910] [4911] [4912] [4913] [4914] [4915] [4916] [4917] [4918] [4919] [4920] [4921] [4922] [4923] [4924] [4925] [4926] [4927] [4928] [4929] [4930] [4931] [4932] [4933] [4934] [4935] [4936] [4937] [4938] [4939] [4940] [4941] [4942] [4943] [4944] [4945] [4946] [4947] [4948] [4949] [4950] [4951] [4952] [4953] [4954] [4955] [4956] [4957] [4958] [4959] [4960] [4961] [4962] [4963] [4964] [4965] [4966] [4967] [4968] [4969] [4970] [4971] [4972] [4973] [4974] [4975] [4976] [4977] [4978] [4979] [4980] [4981] [4982] [4983] [4984] [4985] [4986] [4987] [4988] [4989] [4990] [4991] [4992] [4993] [4994] [4995] [4996] [4997] [4998] [4999] [5000] [5001] [5002] [5003] [5004] [5005] [5006] [5007] [5008] [5009] [5010] [5011] [5012] [5013] [5014] [5015] [5016] [5017] [5018] [5019] [5020] [5021] [5022] [5023] [5024] [5025] [5026] [5027] [5028] [5029] [5030] [5031] [5032] [5033] [5034] [5035] [5036] [5037] [5038] [5039] [5040] [5041] [5042] [5043] [5044] [5045] [5046] [5047] [5048] [5049] [5050] [5051] [5052] [5053] [5054] [5055] [5056] [5057] [5058] [5059] [5060] [5061] [5062] [5063] [5064] [5065] [5066] [5067] [5068] [5069] [5070] [5071] [5072] [5073] [5074] [5075] [5076] [5077] [5078] [5079] [5080] [5081] [5082] [5083] [5084] [5085] [5086] [5087] [5088] [5089] [5090] [5091] [5092] [5093] [5094] [5095] [5096] [5097] [5098] [5099] [5100] [5101] [5102] [5103] [5104] [5105] [5106] [5107] [5108] [5109] [5110] [5111] [5112] [5113] [5114] [5115] [5116] [5117] [5118] [5119] [5120] [5121] [5122] [5123] [5124] [5125] [5126] [5127] [5128] [5129] [5130] [5131] [5132] [5133] [5134] [5135] [5136] [5137] [5138] [5139] [5140] [5141] [5142] [5143] [5144] [5145] [5146] [5147] [5148] [5149] [5150] [5151] [5152] [5153] [5154] [5155] [5156] [5157] [5158] [5159] [5160] [5161] [5162] [5163] [5164] [5165] [5166] [5167] [5168] [5169] [5170] [5171] [5172] [5173] [5174] [5175] [5176] [5177] [5178] [5179] [5180] [5181] [5182] [5183] [5184] [5185] [5186] [5187] [5188] [5189] [5190] [5191] [5192] [5193] [5194] [5195] [5196] [5197] [5198] [5199] [5200] [5201] [5202] [5203] [5204] [5205] [5206] [5207] [5208] [5209] [5210] [5211] [5212] [5213] [5214] [5215] [5216] [5217] [5218] [5219] [5220] [5221] [5222] [5223] [5224] [5225] [5226] [5227] [5228] [5229] [5230] [5231] [5232] [5233] [5234] [5235] [5236] [5237] [5238] [5239] [5240] [5241] [5242] [5243] [5244] [5245] [5246] [5247] [5248] [5249] [5250] [5251] [5252] [5253] [5254] [5255] [5256] [5257] [5258] [5259] [5260] [5261] [5262] [5263] [5264] [5265] [5266] [5267] [5268] [5269] [5270] [5271] [5272] [5273] [5274] [5275] [5276] [5277] [5278] [5279] [5280] [5281] [5282] [5283] [5284] [5285] [5286] [5287] [5288] [5289] [5290] [5291] [5292] [5293] [5294] [5295] [5296] [5297] [5298] [5299] [5300] [5301] [5302] [5303] [5304] [5305] [5306] [5307] [5308] [5309] [5310] [5311] [5312] [5313] [5314] [5315] [5316] [5317] [5318] [5319] [5320] [5321] [5322] [5323] [5324] [5325] [5326] [5327] [5328] [5329] [5330] [5331] [5332] [5333] [5334] [5335] [5336] [5337] [5338] [5339] [5340] [5341] [5342] [5343] [5344] [5345] [5346] [5347] [5348] [5349] [5350] [5351] [5352] [5353] [5354] [5355] [5356] [5357] [5358] [5359] [5360] [5361] [5362] [5363] [5364] [5365] [5366] [5367] [5368] [5369] [5370] [5371] [5372] [5373] [5374] [5375] [5376] [5377] [5378] [5379] [5380] [5381] [5382] [5383] [5384] [5385] [5386] [5387] [5388] [5389] [5390] [5391] [5392] [5393] [5394] [5395] [5396] [5397] [5398] [5399] [5400] [5401] [5402] [5403] [5404] [5405] [5406] [5407] [5408] [5409] [5410] [5411] [5412] [5413] [5414] [5415] [5416] [5417] [5418] [5419] [5420] [5421] [5422] [5423] [5424] [5425] [5426] [5427] [5428] [5429] [5430] [5431] [5432] [5433] [5434] [5435] [5436] [5437] [5438] [5439] [5440] [5441] [5442] [5443] [5444] [5445] [5446] [5447] [5448] [5449] [5450] [5451] [5452] [5453] [5454] [5455] [5456] [5457] [5458] [5459] [5460] [5461] [5462] [5463] [5464] [5465] [5466] [5467] [5468] [5469] [5470] [5471] [5472] [5473] [5474] [5475] [5476] [5477] [5478] [5479] [5480] [5481] [5482] [5483] [5484] [5485] [5486] [5487] [5488] [5489] [5490] [5491] [5492] [5493] [5494] [5495] [5496] [5497] [5498] [5499] [5500] [5501] [5502] [5503] [5504] [5505] [5506] [5507] [5508] [5509] [5510] [5511] [5512] [5513] [5514] [5515] [5516] [5517] [5518] [5519] [5520] [5521] [5522] [5523] [5524] [5525] [5526] [5527] [5528] [5529] [5530] [5531] [5532] [5533] [5534] [5535] [5536] [5537] [5538] [5539] [5540] [5541] [5542] [5543] [5544] [5545] [5546] [5547] [5548] [5549] [5550] [5551] [5552] [5553] [5554] [5555] [5556] [5557] [5558] [5559] [5560] [5561] [5562] [5563] [5564] [5565] [5566] [5567] [5568] [5569] [5570] [5571] [5572] [5573] [5574] [5575] [5576] [5577] [5578] [5579] [5580] [5581] [5582] [5583] [5584] [5585] [5586] [5587] [5588] [5589] [5590] [5591] [5592] [5593] [5594] [5595] [5596] [5597] [5598] [5599] [5600] [5601] [5602] [5603] [5604] [5605] [5606] [5607] [5608] [5609] [5610] [5611] [5612] [5613] [5614] [5615] [5616] [5617] [5618] [5619] [5620] [5621] [5622] [5623] [5624] [5625] [5626] [5627] [5628] [5629] [5630] [5631] [5632] [5633] [5634] [5635] [5636] [5637] [5638] [5639] [5640] [5641] [5642] [5643] [5644] [5645] [5646] [5647] [5648] [5649] [5650] [5651] [5652] [5653] [5654] [5655] [5656] [5657] [5658] [5659] [5660] [5661] [5662] [5663] [5664] [5665] [5666] [5667] [5668] [5669] [5670] [5671] [5672] [5673] [5674] [5675] [5676] [5677] [5678] [5679] [5680] [5681] [5682] [5683] [5684] [5685] [5686] [5687] [5688] [5689] [5690] [5691] [5692] [5693] [5694] [5695] [5696] [5697] [5698] [5699] [5700] [5701] [5702] [5703] [5704] [5705] [5706] [5707] [5708] [5709] [5710] [5711] [5712] [5713] [5714] [5715] [5716] [5717] [5718] [5719] [5720] [5721] [5722] [5723] [5724] [5725] [5726] [5727] [5728] [5729] [5730] [5731] [5732] [5733] [5734] [5735] [5736] [5737] [5738] [5739] [5740] [5741] [5742] [5743] [5744] [5745] [5746] [5747] [5748] [5749] [5750] [5751] [5752] [5753] [5754] [5755] [5756] [5757] [5758] [5759] [5760] [5761] [5762] [5763] [5764] [5765] [5766] [5767] [5768] [5769] [5770] [5771] [5772] [5773] [5774] [5775] [5776] [5777] [5778] [5779] [5780] [5781] [5782] [5783] [5784] [5785] [5786] [5787] [5788] [5789] [5790] [5791] [5792] [5793] [5794] [5795] [5796] [5797] [5798] [5799] [5800] [5801] [5802] [5803] [5804] [5805] [5806] [5807] [5808] [5809] [5810] [5811] [5812] [5813] [5814] [5815] [5816] [5817] [5818] [5819] [5820] [5821] [5822] [5823] [5824] [5825] [5826] [5827] [5828] [5829] [5830] [5831] [5832] [5833] [5834] [5835] [5836] [5837] [5838] [5839] [5840] [5841] [5842] [5843] [5844] [5845] [5846] [5847] [5848] [5849] [5850] [5851] [5852] [5853] [5854] [5855] [5856] [5857] [5858] [5859] [5860] [5861] [5862] [5863] [5864] [5865] [5866] [5867] [5868] [5869] [5870] [5871] [5872] [5873] [5874] [5875] [5876] [5877] [5878] [5879] [5880] [5881] [5882] [5883] [5884] [5885] [5886] [5887] [5888] [5889] [5890] [5891] [5892] [5893] [5894] [5895] [5896] [5897] [5898] [5899] [5900] [5901] [5902] [5903] [5904] [5905] [5906] [5907] [5908] [5909] [5910] [5911] [5912] [5913] [5914] [5915] [5916] [5917] [5918] [5919] [5920] [5921] [5922] [5923] [5924] [5925] [5926] [5927] [5928] [5929] [5930] [5931] [5932] [5933] [5934] [5935] [5936] [5937] [5938] [5939] [5940] [5941] [5942] [5943] [5944] [5945] [5946] [5947] [5948] [5949] [5950] [5951] [5952] [5953] [5954] [5955] [5956] [5957] [5958] [5959] [5960] [5961] [5962] [5963] [5964] [5965] [5966] [5967] [5968] [5969] [5970] [5971] [5972] [5973] [5974] [5975] [5976] [5977] [5978] [5979] [5980] [5981] [5982] [5983] [5984] [5985] [5986] [5987] [5988] [5989] [5990] [5991] [5992] [5993] [5994] [5995] [5996] [5997] [5998] [5999] [6000] [6001] [6002] [6003] [6004] [6005] [6006] [6007] [6008] [6009] [6010] [6011] [6012] [6013] [6014] [6015] [6016] [6017] [6018] [6019] [6020] [6021] [6022] [6023] [6024] [6025] [6026] [6027] [6028] [6029] [6030] [6031] [6032] [6033] [6034] [6035] [6036] [6037] [6038] [6039] [6040] [6041] [6042] [6043] [6044] [6045] [6046] [6047] [6048] [6049] [6050] [6051] [6052] [6053] [6054] [6055] [6056] [6057] [6058] [6059] [6060] [6061] [6062] [6063] [6064] [6065] [6066] [6067] [6068] [6069] [6070] [6071] [6072] [6073] [6074] [6075] [6076] [6077] [6078] [6079] [6080] [6081] [6082] [6083] [6084] [6085] [6086] [6087] [6088] [6089] [6090] [6091] [6092] [6093] [6094] [6095] [6096] [6097] [6098] [6099] [6100] [6101] [6102] [6103] [6104] [6105] [6106] [6107] [6108] [6109] [6110] [6111] [6112] [6113] [6114] [6115] [6116] [6117] [6118] [6119] [6120] [6121] [6122] [6123] [6124] [6125] [6126] [6127] [6128] [6129] [6130] [6131] [6132] [6133] [6134] [6135] [6136] [6137] [6138] [6139] [6140] [6141] [6142] [6143] [6144] [6145] [6146] [6147] [6148] [6149] [6150] [6151] [6152] [6153] [6154] [6155] [6156] [6157] [6158] [6159] [6160] [6161] [6162] [6163] [6164] [6165] [6166] [6167] [6168] [6169] [6170] [6171] [6172] [6173] [6174] [6175] [6176] [6177] [6178] [6179] [6180] [6181] [6182] [6183] [6184] [6185] [6186] [6187] [6188] [6189] [6190] [6191] [6192] [6193] [6194] [6195] [6196] [6197] [6198] [6199] [6200] [6201] [6202] [6203] [6204] [6205] [6206] [6207] [6208] [6209] [6210] [6211] [6212] [6213] [6214] [6215] [6216] [6217] [6218] [6219] [6220] [6221] [6222] [6223] [6224] [6225] [6226] [6227] [6228] [6229] [6230] [6231] [6232] [6233] [6234] [6235] [6236] [6237] [6238] [6239] [6240] [6241] [6242] [6243] [6244] [6245] [6246] [6247] [6248] [6249] [6250] [6251] [6252] [6253] [6254] [6255] [6256] [6257] [6258] [6259] [6260] [6261] [6262] [6263] [6264] [6265] [6266] [6267] [6268] [6269] [6270] [6271] [6272] [6273] [6274] [6275] [6276] [6277] [6278] [6279] [6280] [6281] [6282] [6283] [6284] [6285] [6286] [6287] [6288] [6289] [6290] [6291] [6292] [6293] [6294] [6295] [6296] [6297] [6298] [6299] [6300] [6301] [6302] [6303] [6304] [6305] [6306] [6307] [6308] [6309] [6310] [6311] [6312] [6313] [6314] [6315] [6316] [6317] [6318] [6319] [6320] [6321] [6322] [6323] [6324] [6325] [6326] [6327] [6328] [6329] [6330] [6331] [6332] [6333] [6334] [6335] [6336] [6337] [6338] [6339] [6340] [6341] [6342] [6343] [6344] [6345] [6346] [6347] [6348] [6349] [6350] [6351] [6352] [6353] [6354] [6355] [6356] [6357] [6358] [6359] [6360] [6361] [6362] [6363] [6364] [6365] [6366] [6367] [6368] [6369] [6370] [6371] [6372] [6373] [6374] [6375] [6376] [6377] [6378] [6379] [6380] [6381] [6382] [6383] [6384] [6385] [6386] [6387] [6388] [6389] [6390] [6391] [6392] [6393] [6394] [6395] [6396] [6397] [6398] [6399] [6400] [6401] [6402] [6403] [6404] [6405] [6406] [6407] [6408] [6409] [6410] [6411] [6412] [6413] [6414] [6415] [6416] [6417] [6418] [6419] [6420] [6421] [6422] [6423] [6424] [6425] [6426] [6427] [6428] [6429] [6430] [6431] [6432] [6433] [6434] [6435] [6436] [6437] [6438] [6439] [6440] [6441] [6442] [6443] [6444] [6445] [6446] [6447] [6448] [6449] [6450] [6451] [6452] [6453] [6454] [6455] [6456] [6457] [6458] [6459] [6460] [6461] [6462] [6463] [6464] [6465] [6466] [6467] [6468] [6469] [6470] [6471] [6472] [6473] [6474] [6475] [6476] [6477] [6478] [6479] [6480] [6481] [6482] [6483] [6484] [6485] [6486] [6487] [6488] [6489] [6490] [6491] [6492] [6493] [6494] [6495] [6496] [6497] [6498] [6499] [6500] [6501] [6502] [6503] [6504] [6505] [6506] [6507] [6508] [6509] [6510] [6511] [6512] [6513] [6514] [6515] [6516] [6517] [6518] [6519] [6520] [6521] [6522] [6523] [6524] [6525] [6526] [6527] [6528] [6529] [6530] [6531] [6532] [6533] [6534] [6535] [6536] [6537] [6538] [6539] [6540] [6541] [6542] [6543] [6544] [6545] [6546] [6547] [6548] [6549] [6550] [6551] [6552] [6553] [6554] [6555] [6556] [6557] [6558] [6559] [6560] [6561] [6562] [6563] [6564] [6565] [6566] [6567] [6568] [6569] [6570] [6571] [6572] [6573] [6574] [6575] [6576] [6577] [6578] [6579] [6580] [6581] [6582] [6583] [6584] [6585] [6586] [6587] [6588] [6589] [6590] [6591] [6592] [6593] [6594] [6595] [6596] [6597] [6598] [6599] [6600] [6601] [6602] [6603] [6604] [6605] [6606] [6607] [6608] [6609] [6610] [6611] [6612] [6613] [6614] [6615] [6616] [6617] [6618] [6619] [6620] [6621] [6622] [6623] [6624] [6625] [6626] [6627] [6628] [6629] [6630] [6631] [6632] [6633] [6634] [6635] [6636] [6637] [6638] [6639] [6640] [6641] [6642] [6643] [6644] [6645] [6646] [6647] [6648] [6649] [6650] [6651] [6652] [6653] [6654] [6655] [6656] [6657] [6658] [6659] [6660] [6661] [6662] [6663] [6664] [6665] [6666] [6667] [6668] [6669] [6670] [6671] [6672] [6673] [6674] [6675] [6676] [6677] [6678] [6679] [6680] [6681] [6682] [6683] [6684] [6685] [6686] [6687] [6688] [6689] [6690] [6691] [6692] [6693] [6694] [6695] [6696] [6697] [6698] [6699] [6700] [6701] [6702] [6703] [6704] [6705] [6706] [6707] [6708] [6709] [6710] [6711] [6712] [6713] [6714] [6715] [6716] [6717] [6718] [6719] [6720] [6721] [6722] [6723] [6724] [6725] [6726] [6727] [6728] [6729] [6730] [6731] [6732] [6733] [6734] [6735] [6736] [6737] [6738] [6739] [6740] [6741] [6742] [6743] [6744] [6745] [6746] [6747] [6748] [6749] [6750] [6751] [6752] [6753] [6754] [6755] [6756] [6757] [6758] [6759] [6760] [6761] [6762] [6763] [6764] [6765] [6766] [6767] [6768] [6769] [6770] [6771] [6772] [6773] [6774] [6775] [6776] [6777] [6778] [6779] [6780] [6781] [6782] [6783] [6784] [6785] [6786] [6787] [6788] [6789] [6790] [6791] [6792] [6793] [6794] [6795] [6796] [6797] [6798] [6799] [6800] [6801] [6802] [6803] [6804] [6805] [6806] [6807] [6808] [6809] [6810] [6811] [6812] [6813] [6814] [6815] [6816] [6817] [6818] [6819] [6820] [6821] [6822] [6823] [6824] [6825] [6826] [6827] [6828] [6829] [6830] [6831] [6832] [6833] [6834] [6835] [6836] [6837] [6838] [6839] [6840] [6841] [6842] [6843] [6844] [6845] [6846] [6847] [6848] [6849] [6850] [6851] [6852] [6853] [6854] [6855] [6856] [6857] [6858] [6859] [6860] [6861] [6862] [6863] [6864] [6865] [6866] [6867] [6868] [6869] [6870] [6871] [6872] [6873] [6874] [6875] [6876] [6877] [6878] [6879] [6880] [6881] [6882] [6883] [6884] [6885] [6886] [6887] [6888] [6889] [6890] [6891] [6892] [6893] [6894] [6895] [6896] [6897] [6898] [6899] [6900] [6901] [6902] [6903] [6904] [6905] [6906] [6907] [6908] [6909] [6910] [6911] [6912] [6913] [6914] [6915] [6916] [6917] [6918] [6919] [6920] [6921] [6922] [6923] [6924] [6925] [6926] [6927] [6928] [6929] [6930] [6931] [6932] [6933] [6934] [6935] [6936] [6937] [6938] [6939] [6940] [6941] [6942] [6943] [6944] [6945] [6946] [6947] [6948] [6949] [6950] [6951] [6952] [6953] [6954] [6955] [6956] [6957] [6958] [6959] [6960] [6961] [6962] [6963] [6964] [6965] [6966] [6967] [6968] [6969] [6970] [6971] [6972] [6973] [6974] [6975] [6976] [6977] [6978] [6979] [6980] [6981] [6982] [6983] [6984] [6985] [6986] [6987] [6988] [6989] [6990] [6991] [6992] [6993] [6994] [6995] [6996] [6997] [6998] [6999] [7000] [7001] [7002] [7003] [7004] [7005] [7006] [7007] [7008] [7009] [7010] [7011] [7012] [7013] [7014] [7015] [7016] [7017] [7018] [7019] [7020] [7021] [7022] [7023] [7024] [7025] [7026] [7027] [7028] [7029] [7030] [7031] [7032] [7033] [7034] [7035] [7036] [7037] [7038] [7039] [7040] [7041] [7042] [7043] [7044] [7045] [7046] [7047] [7048] [7049] [7050] [7051] [7052] [7053] [7054] [7055] [7056] [7057] [7058] [7059] [7060] [7061] [7062] [7063] [7064] [7065] [7066] [7067] [7068] [7069] [7070] [7071] [7072] [7073] [7074] [7075] [7076] [7077] [7078] [7079] [7080] [7081] [7082] [7083] [7084] [7085] [7086] [7087] [7088] [7089] [7090] [7091] [7092] [7093] [7094] [7095] [7096] [7097] [7098] [7099] [7100] [7101] [7102] [7103] [7104] [7105] [7106] [7107] [7108] [7109] [7110] [7111] [7112] [7113] [7114] [7115] [7116] [7117] [7118] [7119] [7120] [7121] [7122] [7123] [7124] [7125] [7126] [7127] [7128] [7129] [7130] [7131] [7132] [7133] [7134] [7135] [7136] [7137] [7138] [7139] [7140] [7141] [7142] [7143] [7144] [7145] [7146] [7147] [7148] [7149] [7150] [7151] [7152] [7153] [7154] [7155] [7156] [7157] [7158] [7159] [7160] [7161] [7162] [7163] [7164] [7165] [7166] [7167] [7168] [7169] [7170] [7171] [7172] [7173] [7174] [7175] [7176] [7177] [7178] [7179] [7180] [7181] [7182] [7183] [7184] [7185] [7186] [7187] [7188] [7189] [7190] [7191] [7192] [7193] [7194] [7195] [7196] [7197] [7198] [7199] [7200] [7201] [7202] [7203] [7204] [7205] [7206] [7207] [7208] [7209] [7210] [7211] [7212] [7213] [7214] [7215] [7216] [7217] [7218] [7219] [7220] [7221] [7222] [7223] [7224] [7225] [7226] [7227] [7228] [7229] [7230] [7231] [7232] [7233] [7234] [7235] [7236] [7237] [7238] [7239] [7240] [7241] [7242] [7243] [7244] [7245] [7246] [7247] [7248] [7249] [7250] [7251] [7252] [7253] [7254] [7255] [7256] [7257] [7258] [7259] [7260] [7261] [7262] [7263] [7264] [7265] [7266] [7267] [7268] [7269] [7270] [7271] [7272] [7273] [7274] [7275] [7276] [7277] [7278] [7279] [7280] [7281] [7282] [7283] [7284] [7285] [7286] [7287] [7288] [7289] [7290] [7291] [7292] [7293] [7294] [7295] [7296] [7297] [7298] [7299] [7300] [7301] [7302] [7303] [7304] [7305] [7306] [7307] [7308] [7309] [7310] [7311] [7312] [7313] [7314] [7315] [7316] [7317] [7318] [7319] [7320] [7321] [7322] [7323] [7324] [7325] [7326] [7327] [7328] [7329] [7330] [7331] [7332] [7333] [7334] [7335] [7336] [7337] [7338] [7339] [7340] [7341] [7342] [7343] [7344] [7345] [7346] [7347] [7348] [7349] [7350] [7351] [7352] [7353] [7354] [7355] [7356] [7357] [7358] [7359] [7360] [7361] [7362] [7363] [7364] [7365] [7366] [7367] [7368] [7369] [7370] [7371] [7372] [7373] [7374] [7375] [7376] [7377] [7378] [7379] [7380] [7381] [7382] [7383] [7384] [7385] [7386] [7387] [7388] [7389] [7390] [7391] [7392] [7393] [7394] [7395] [7396] [7397] [7398] [7399] [7400] [7401] [7402] [7403] [7404] [7405] [7406] [7407] [7408] [7409] [7410] [7411] [7412] [7413] [7414] [7415] [7416] [7417] [7418] [7419] [7420] [7421] [7422] [7423] [7424] [7425] [7426] [7427] [7428] [7429] [7430] [7431] [7432] [7433] [7434] [7435] [7436] [7437] [7438] [7439] [7440] [7441] [7442] [7443] [7444] [7445] [7446] [7447] [7448] [7449] [7450] [7451] [7452] [7453] [7454] [7455] [7456] [7457] [7458] [7459] [7460] [7461] [7462] [7463] [7464] [7465] [7466] [7467] [7468] [7469] [7470] [7471] [7472] [7473] [7474] [7475] [7476] [7477] [7478] [7479] [7480] [7481] [7482] [7483] [7484] [7485] [7486] [7487] [7488] [7489] [7490] [7491] [7492] [7493] [7494] [7495] [7496] [7497] [7498] [7499] [7500] [7501] [7502] [7503] [7504] [7505] [7506] [7507] [7508] [7509] [7510] [7511] [7512] [7513] [7514] [7515] [7516] [7517] [7518] [7519] [7520] [7521] [7522] [7523] [7524] [7525] [7526] [7527] [7528] [7529] [7530] [7531] [7532] [7533] [7534] [7535] [7536] [7537] [7538] [7539] [7540] [7541] [7542] [7543] [7544] [7545] [7546] [7547] [7548] [7549] [7550] [7551] [7552] [7553] [7554] [7555] [7556] [7557] [7558] [7559] [7560] [7561] [7562] [7563] [7564] [7565] [7566] [7567] [7568] [7569] [7570] [7571] [7572] [7573] [7574] [7575] [7576] [7577] [7578] [7579] [7580] [7581] [7582] [7583] [7584] [7585] [7586] [7587] [7588] [7589] [7590] [7591] [7592] [7593] [7594] [7595] [7596] [7597] [7598] [7599] [7600] [7601] [7602] [7603] [7604] [7605] [7606] [7607] [7608] [7609] [7610] [7611] [7612] [7613] [7614] [7615] [7616] [7617] [7618] [7619] [7620] [7621] [7622] [7623] [7624] [7625] [7626] [7627] [7628] [7629] [7630] [7631] [7632] [7633] [7634] [7635] [7636] [7637] [7638] [7639] [7640] [7641] [7642] [7643] [7644] [7645] [7646] [7647] [7648] [7649] [7650] [7651] [7652] [7653] [7654] [7655] [7656] [7657] [7658] [7659] [7660] [7661] [7662] [7663] [7664] [7665] [7666] [7667] [7668] [7669] [7670] [7671] [7672] [7673] [7674] [7675] [7676] [7677] [7678] [7679] [7680] [7681] [7682] [7683] [7684] [7685] [7686] [7687] [7688] [7689] [7690] [7691] [7692] [7693] [7694] [7695] [7696] [7697] [7698] [7699] [7700] [7701] [7702] [7703] [7704] [7705] [7706] [7707] [7708] [7709] [7710] [7711] [7712] [7713] [7714] [7715] [7716] [7717] [7718] [7719] [7720] [7721] [7722] [7723] [7724] [7725] [7726] [7727] [7728] [7729] [7730] [7731] [7732] [7733] [7734] [7735] [7736] [7737] [7738] [7739] [7740] [7741] [7742] [7743] [7744] [7745] [7746] [7747] [7748] [7749] [7750] [7751] [7752] [7753] [7754] [7755] [7756] [7757] [7758] [7759] [7760] [7761] [7762] [7763] [7764] [7765] [7766] [7767] [7768] [7769] [7770] [7771] [7772] [7773] [7774] [7775] [7776] [7777] [7778] [7779] [7780] [7781] [7782] [7783] [7784] [7785] [7786] [7787] [7788] [7789] [7790] [7791] [7792] [7793] [7794] [7795] [7796] [7797] [7798] [7799] [7800] [7801] [7802] [7803] [7804] [7805] [7806] [7807] [7808] [7809] [7810] [7811] [7812] [7813] [7814] [7815] [7816] [7817] [7818] [7819] [7820] [7821] [7822] [7823] [7824] [7825] [7826] [7827] [7828] [7829] [7830] [7831] [7832] [7833] [7834] [7835] [7836] [7837] [7838] [7839] [7840] [7841] [7842] [7843] [7844] [7845] [7846] [7847] [7848] [7849] [7850] [7851] [7852] [7853] [7854] [7855] [7856] [7857] [7858] [7859] [7860] [7861] [7862] [7863] [7864] [7865] [7866] [7867] [7868] [7869] [7870] [7871] [7872] [7873] [7874] [7875] [7876] [7877] [7878] [7879] [7880] [7881] [7882] [7883] [7884] [7885] [7886] [7887] [7888] [7889] [7890] [7891] [7892] [7893] [7894] [7895] [7896] [7897] [7898] [7899] [7900] [7901] [7902] [7903] [7904] [7905] [7906] [7907] [7908] [7909] [7910] [7911] [7912] [7913] [7914] [7915] [7916] [7917] [7918] [7919] [7920] [7921] [7922] [7923] [7924] [7925] [7926] [7927] [7928] [7929] [7930] [7931] [7932] [7933] [7934] [7935] [7936] [7937] [7938] [7939] [7940] [7941] [7942] [7943] [7944] [7945] [7946] [7947] [7948] [7949] [7950] [7951] [7952] [7953] [7954] [7955] [7956] [7957] [7958] [7959] [7960] [7961] [7962] [7963] [7964] [7965] [7966] [7967] [7968] [7969] [7970] [7971] [7972] [7973] [7974] [7975] [7976] [7977] [7978] [7979] [7980] [7981] [7982] [7983] [7984] [7985] [7986] [7987] [7988] [7989] [7990] [7991] [7992] [7993] [7994] [7995] [7996] [7997] [7998] [7999] [8000] [8001] [8002] [8003] [8004] [8005] [8006] [8007] [8008] [8009] [8010] [8011] [8012] [8013] [8014] [8015] [8016] [8017] [8018] [8019] [8020] [8021] [8022] [8023] [8024] [8025] [8026] [8027] [8028] [8029] [8030] [8031] [8032] [8033] [8034] [8035] [8036] [8037] [8038] [8039] [8040] [8041] [8042] [8043] [8044] [8045] [8046] [8047] [8048] [8049] [8050] [8051] [8052] [8053] [8054] [8055] [8056] [8057] [8058] [8059] [8060] [8061] [8062] [8063] [8064] [8065] [8066] [8067] [8068] [8069] [8070] [8071] [8072] [8073] [8074] [8075] [8076] [8077] [8078] [8079] [8080] [8081] [8082] [8083] [8084] [8085] [8086] [8087] [8088] [8089] [8090] [8091] [8092] [8093] [8094] [8095] [8096] [8097] [8098] [8099] [8100] [8101] [8102] [8103] [8104] [8105] [8106] [8107] [8108] [8109] [8110] [8111] [8112] [8113] [8114] [8115] [8116] [8117] [8118] [8119] [8120] [8121] [8122] [8123] [8124] [8125] [8126] [8127] [8128] [8129] [8130] [8131] [8132] [8133] [8134] [8135] [8136] [8137] [8138] [8139] [8140] [8141] [8142] [8143] [8144] [8145] [8146] [8147] [8148] [8149] [8150] [8151] [8152] [8153] [8154] [8155] [8156] [8157] [8158] [8159] [8160] [8161] [8162] [8163] [8164] [8165] [8166] [8167] [8168] [8169] [8170] [8171] [8172] [8173] [8174] [8175] [8176] [8177] [8178] [8179] [8180] [8181] [8182] [8183] [8184] [8185] [8186] [8187] [8188] [8189] [8190] [8191] [8192] [8193] [8194] [8195] [8196] [8197] [8198] [8199] [8200] [8201] [8202] [8203] [8204] [8205] [8206] [8207] [8208] [8209] [8210] [8211] [8212] [8213] [8214] [8215] [8216] [8217] [8218] [8219] [8220] [8221] [8222] [8223] [8224] [8225] [8226] [8227] [8228] [8229] [8230] [8231] [8232] [8233] [8234] [8235] [8236] [8237] [8238] [8239] [8240] [8241] [8242] [8243] [8244] [8245] [8246] [8247] [8248] [8249] [8250] [8251] [8252] [8253] [8254] [8255] [8256] [8257] [8258] [8259] [8260] [8261] [8262] [8263] [8264] [8265] [8266] [8267] [8268] [8269] [8270] [8271] [8272] [8273] [8274] [8275] [8276] [8277] [8278] [8279] [8280] [8281] [8282] [8283] [8284] [8285] [8286] [8287] [8288] [8289] [8290] [8291] [8292] [8293] [8294] [8295] [8296] [8297] [8298] [8299] [8300] [8301] [8302] [8303] [8304] [8305] [8306] [8307] [8308] [8309] [8310] [8311] [8312] [8313] [8314] [8315] [8316] [8317] [8318] [8319] [8320] [8321] [8322] [8323] [8324] [8325] [8326] [8327] [8328] [8329] [8330] [8331] [8332] [8333] [8334] [8335] [8336] [8337] [8338] [8339] [8340] [8341] [8342] [8343] [8344] [8345] [8346] [8347] [8348] [8349] [8350] [8351] [8352] [8353] [8354] [8355] [8356] [8357] [8358] [8359] [8360] [8361] [8362] [8363] [8364] [8365] [8366] [8367] [8368] [8369] [8370] [8371] [8372] [8373] [8374] [8375] [8376] [8377] [8378] [8379] [8380] [8381] [8382] [8383] [8384] [8385] [8386] [8387] [8388] [8389] [8390] [8391] [8392] [8393] [8394] [8395] [8396] [8397] [8398] [8399] [8400] [8401] [8402] [8403] [8404] [8405] [8406] [8407] [8408] [8409] [8410] [8411] [8412] [8413] [8414] [8415] [8416] [8417] [8418] [8419] [8420] [8421] [8422] [8423] [8424] [8425] [8426] [8427] [8428] [8429] [8430] [8431] [8432] [8433] [8434] [8435] [8436] [8437] [8438] [8439] [8440] [8441] [8442] [8443] [8444] [8445] [8446] [8447] [8448] [8449] [8450] [8451] [8452] [8453] [8454] [8455] [8456] [8457] [8458] [8459] [8460] [8461] [8462] [8463] [8464] [8465] [8466] [8467] [8468] [8469] [8470] [8471] [8472] [8473] [8474] [8475] [8476] [8477] [8478] [8479] [8480] [8481] [8482] [8483] [8484] [8485] [8486] [8487] [8488] [8489] [8490] [8491] [8492] [8493] [8494] [8495] [8496] [8497] [8498] [8499] [8500] [8501] [8502] [8503] [8504] [8505] [8506] [8507] [8508] [8509] [8510] [8511] [8512] [8513] [8514] [8515] [8516] [8517] [8518] [8519] [8520] [8521] [8522] [8523] [8524] [8525] [8526] [8527] [8528] [8529] [8530] [8531] [8532] [8533] [8534] [8535] [8536] [8537] [8538] [8539] [8540] [8541] [8542] [8543] [8544] [8545] [8546] [8547] [8548] [8549] [8550] [8551] [8552] [8553] [8554] [8555] [8556] [8557] [8558] [8559] [8560] [8561] [8562] [8563] [8564] [8565] [8566] [8567] [8568] [8569] [8570] [8571] [8572] [8573] [8574] [8575] [8576] [8577] [8578] [8579] [8580] [8581] [8582] [8583] [8584] [8585] [8586] [8587] [8588] [8589] [8590] [8591] [8592] [8593] [8594] [8595] [8596] [8597] [8598] [8599] [8600] [8601] [8602] [8603] [8604] [8605] [8606] [8607] [8608] [8609] [8610] [8611] [8612] [8613] [8614] [8615] [8616] [8617] [8618] [8619] [8620] [8621] [8622] [8623] [8624] [8625] [8626] [8627] [8628] [8629] [8630] [8631] [8632] [8633] [8634] [8635] [8636] [8637] [8638] [8639] [8640] [8641] [8642] [8643] [8644] [8645] [8646] [8647] [8648] [8649] [8650] [8651] [8652] [8653] [8654] [8655] [8656] [8657] [8658] [8659] [8660] [8661] [8662] [8663] [8664] [8665] [8666] [8667] [8668] [8669] [8670] [8671] [8672] [8673] [8674] [8675] [8676] [8677] [8678] [8679] [8680] [8681] [8682] [8683] [8684] [8685] [8686] [8687] [8688] [8689] [8690] [8691] [8692] [8693] [8694] [8695] [8696] [8697] [8698] [8699] [8700] [8701] [8702] [8703] [8704] [8705] [8706] [8707] [8708] [8709] [8710] [8711] [8712] [8713] [8714] [8715] [8716] [8717] [8718] [8719] [8720] [8721] [8722] [8723] [8724] [8725] [8726] [8727] [8728] [8729] [8730] [8731] [8732] [8733] [8734] [8735] [8736] [8737] [8738] [8739] [8740] [8741] [8742] [8743] [8744] [8745] [8746] [8747] [8748] [8749] [8750] [8751] [8752] [8753] [8754] [8755] [8756] [8757] [8758] [8759] [8760] [8761] [8762] [8763] [8764] [8765] [8766] [8767] [8768] [8769] [8770] [8771] [8772] [8773] [8774] [8775] [8776] [8777] [8778] [8779] [8780] [8781] [8782] [8783] [8784] [8785] [8786] [8787] [8788] [8789] [8790] [8791] [8792] [8793] [8794] [8795] [8796] [8797] [8798] [8799] [8800] [8801] [8802] [8803] [8804] [8805] [8806] [8807] [8808] [8809] [8810] [8811] [8812] [8813] [8814] [8815] [8816] [8817] [8818] [8819] [8820] [8821] [8822] [8823] [8824] [8825] [8826] [8827] [8828] [8829] [8830] [8831] [8832] [8833] [8834] [8835] [8836] [8837] [8838] [8839] [8840] [8841] [8842] [8843] [8844] [8845] [8846] [8847] [8848] [8849] [8850] [8851] [8852] [8853] [8854] [8855] [8856] [8857] [8858] [8859] [8860] [8861] [8862] [8863] [8864] [8865] [8866] [8867] [8868] [8869] [8870] [8871] [8872] [8873] [8874] [8875] [8876] [8877] [8878] [8879] [8880] [8881] [8882] [8883] [8884] [8885] [8886] [8887] [8888] [8889] [8890] [8891] [8892] [8893] [8894] [8895] [8896] [8897] [8898] [8899] [8900] [8901] [8902] [8903] [8904] [8905] [8906] [8907] [8908] [8909] [8910] [8911] [8912] [8913] [8914] [8915] [8916] [8917] [8918] [8919] [8920] [8921] [8922] [8923] [8924] [8925] [8926] [8927] [8928] [8929] [8930] [8931] [8932] [8933] [8934] [8935] [8936] [8937] [8938] [8939] [8940] [8941] [8942] [8943] [8944] [8945] [8946] [8947] [8948] [8949] [8950] [8951] [8952] [8953] [8954] [8955] [8956] [8957] [8958] [8959] [8960] [8961] [8962] [8963] [8964] [8965] [8966] [8967] [8968] [8969] [8970] [8971] [8972] [8973] [8974] [8975] [8976] [8977] [8978] [8979] [8980] [8981] [8982] [8983] [8984] [8985] [8986] [8987] [8988] [8989] [8990] [8991] [8992] [8993] [8994] [8995] [8996] [8997] [8998] [8999] [9000] [9001] [9002] [9003] [9004] [9005] [9006] [9007] [9008] [9009] [9010] [9011] [9012] [9013] [9014] [9015] [9016] [9017] [9018] [9019] [9020] [9021] [9022] [9023] [9024] [9025] [9026] [9027] [9028] [9029] [9030] [9031] [9032] [9033] [9034] [9035] [9036] [9037] [9038] [9039] [9040] [9041] [9042] [9043] [9044] [9045] [9046] [9047] [9048] [9049] [9050] [9051] [9052] [9053] [9054] [9055] [9056] [9057] [9058] [9059] [9060] [9061] [9062] [9063] [9064] [9065] [9066] [9067] [9068] [9069] [9070] [9071] [9072] [9073] [9074] [9075] [9076] [9077] [9078] [9079] [9080] [9081] [9082] [9083] [9084] [9085] [9086] [9087] [9088] [9089] [9090] [9091] [9092] [9093] [9094] [9095] [9096] [9097] [9098] [9099] [9100] [9101] [9102] [9103] [9104] [9105] [9106] [9107] [9108] [9109] [9110] [9111] [9112] [9113] [9114] [9115] [9116] [9117] [9118] [9119] [9120] [9121] [9122] [9123] [9124] [9125] [9126] [9127] [9128] [9129] [9130] [9131] [9132] [9133] [9134] [9135] [9136] [9137] [9138] [9139] [9140] [9141] [9142] [9143] [9144] [9145] [9146] [9147] [9148] [9149] [9150] [9151] [9152] [9153] [9154] [9155] [9156] [9157] [9158] [9159] [9160] [9161] [9162] [9163] [9164] [9165] [9166] [9167] [9168] [9169] [9170] [9171] [9172] [9173] [9174] [9175] [9176] [9177] [9178] [9179] [9180] [9181] [9182] [9183] [9184] [9185] [9186] [9187] [9188] [9189] [9190] [9191] [9192] [9193] [9194] [9195] [9196] [9197] [9198] [9199] [9200] [9201] [9202] [9203] [9204] [9205] [9206] [9207] [9208] [9209] [9210] [9211] [9212] [9213] [9214] [9215] [9216] [9217] [9218] [9219] [9220] [9221] [9222] [9223] [9224] [9225] [9226] [9227] [9228] [9229] [9230] [9231] [9232] [9233] [9234] [9235] [9236] [9237] [9238] [9239] [9240] [9241] [9242] [9243] [9244] [9245] [9246] [9247] [9248] [9249] [9250] [9251] [9252] [9253] [9254] [9255] [9256] [9257] [9258] [9259] [9260] [9261] [9262] [9263] [9264] [9265] [9266] [9267] [9268] [9269] [9270] [9271] [9272] [9273] [9274] [9275] [9276] [9277] [9278] [9279] [9280] [9281] [9282] [9283] [9284] [9285] [9286] [9287] [9288] [9289] [9290] [9291] [9292] [9293] [9294] [9295] [9296] [9297] [9298] [9299] [9300] [9301] [9302] [9303] [9304] [9305] [9306] [9307] [9308] [9309] [9310] [9311] [9312] [9313] [9314] [9315] [9316] [9317] [9318] [9319] [9320] [9321] [9322] [9323] [9324] [9325] [9326] [9327] [9328] [9329] [9330] [9331] [9332] [9333] [9334] [9335] [9336] [9337] [9338] [9339] [9340] [9341] [9342] [9343] [9344] [9345] [9346] [9347] [9348] [9349] [9350] [9351] [9352] [9353] [9354] [9355] [9356] [9357] [9358] [9359] [9360] [9361] [9362] [9363] [9364] [9365] [9366] [9367] [9368] [9369] [9370] [9371] [9372] [9373] [9374] [9375] [9376] [9377] [9378] [9379] [9380] [9381] [9382] [9383] [9384] [9385] [9386] [9387] [9388] [9389] [9390] [9391] [9392] [9393] [9394] [9395] [9396] [9397] [9398] [9399] [9400] [9401] [9402] [9403] [9404] [9405] [9406] [9407] [9408] [9409] [9410] [9411] [9412] [9413] [9414] [9415] [9416] [9417] [9418] [9419] [9420] [9421] [9422] [9423] [9424] [9425] [9426] [9427] [9428] [9429] [9430] [9431] [9432] [9433] [9434] [9435] [9436] [9437] [9438] [9439] [9440] [9441] [9442] [9443] [9444] [9445] [9446] [9447] [9448] [9449] [9450] [9451] [9452] [9453] [9454] [9455] [9456] [9457] [9458] [9459] [9460] [9461] [9462] [9463] [9464] [9465] [9466] [9467] [9468] [9469] [9470] [9471] [9472] [9473] [9474] [9475] [9476] [9477] [9478] [9479] [9480] [9481] [9482] [9483] [9484] [9485] [9486] [9487] [9488] [9489] [9490] [9491] [9492] [9493] [9494] [9495] [9496] [9497] [9498] [9499] [9500] [9501] [9502] [9503] [9504] [9505] [9506] [9507] [9508] [9509] [9510] [9511] [9512] [9513] [9514] [9515] [9516] [9517] [9518] [9519] [9520] [9521] [9522] [9523] [9524] [9525] [9526] [9527] [9528] [9529] [9530] [9531] [9532] [9533] [9534] [9535] [9536] [9537] [9538] [9539] [9540] [9541] [9542] [9543] [9544] [9545] [9546] [9547] [9548] [9549] [9550] [9551] [9552] [9553] [9554] [9555] [9556] [9557] [9558] [9559] [9560] [9561] [9562] [9563] [9564] [9565] [9566] [9567] [9568] [9569] [9570] [9571] [9572] [9573] [9574] [9575] [9576] [9577] [9578] [9579] [9580] [9581] [9582] [9583] [9584] [9585] [9586] [9587] [9588] [9589] [9590] [9591] [9592] [9593] [9594] [9595] [9596] [9597] [9598] [9599] [9600] [9601] [9602] [9603] [9604] [9605] [9606] [9607] [9608] [9609] [9610] [9611] [9612] [9613] [9614] [9615] [9616] [9617] [9618] [9619] [9620] [9621] [9622] [9623] [9624] [9625] [9626] [9627] [9628] [9629] [9630] [9631] [9632] [9633] [9634] [9635] [9636] [9637] [9638] [9639] [9640] [9641] [9642] [9643] [9644] [9645] [9646] [9647] [9648] [9649] [9650] [9651] [9652] [9653] [9654] [9655] [9656] [9657] [9658] [9659] [9660] [9661] [9662] [9663] [9664] [9665] [9666] [9667] [9668] [9669] [9670] [9671] [9672] [9673] [9674] [9675] [9676] [9677] [9678] [9679] [9680] [9681] [9682] [9683] [9684] [9685] [9686] [9687] [9688] [9689] [9690] [9691] [9692] [9693] [9694] [9695] [9696] [9697] [9698] [9699] [9700] [9701] [9702] [9703] [9704] [9705] [9706] [9707] [9708] [9709] [9710] [9711] [9712] [9713] [9714] [9715] [9716] [9717] [9718] [9719] [9720] [9721] [9722] [9723] [9724] [9725] [9726] [9727] [9728] [9729] [9730] [9731] [9732] [9733] [9734] [9735] [9736] [9737] [9738] [9739] [9740] [9741] [9742] [9743] [9744] [9745] [9746] [9747] [9748] [9749] [9750] [9751] [9752] [9753] [9754] [9755] [9756] [9757] [9758] [9759] [9760] [9761] [9762] [9763] [9764] [9765] [9766] [9767] [9768] [9769] [9770] [9771] [9772] [9773] [9774] [9775] [9776] [9777] [9778] [9779] [9780] [9781] [9782] [9783] [9784] [9785] [9786] [9787] [9788] [9789] [9790] [9791] [9792] [9793] [9794] [9795] [9796] [9797] [9798] [9799] [9800] [9801] [9802] [9803] [9804] [9805] [9806] [9807] [9808] [9809] [9810] [9811] [9812] [9813] [9814] [9815] [9816] [9817] [9818] [9819] [9820] [9821] [9822] [9823] [9824] [9825] [9826] [9827] [9828] [9829] [9830] [9831] [9832] [9833] [9834] [9835] [9836] [9837] [9838] [9839] [9840] [9841] [9842] [9843] [9844] [9845] [9846] [9847] [9848] [9849] [9850] [9851] [9852] [9853] [9854] [9855] [9856] [9857] [9858] [9859] [9860] [9861] [9862] [9863] [9864] [9865] [9866] [9867] [9868] [9869] [9870] [9871] [9872] [9873] [9874] [9875] [9876] [9877] [9878] [9879] [9880] [9881] [9882] [9883] [9884] [9885] [9886] [9887] [9888] [9889] [9890] [9891] [9892] [9893] [9894] [9895] [9896] [9897] [9898] [9899] [9900] [9901] [9902] [9903] [9904] [9905] [9906] [9907] [9908] [9909] [9910] [9911] [9912] [9913] [9914] [9915] [9916] [9917] [9918] [9919] [9920] [9921] [9922] [9923] [9924] [9925] [9926] [9927] [9928] [9929] [9930] [9931] [9932] [9933] [9934] [9935] [9936] [9937] [9938] [9939] [9940] [9941] [9942] [9943] [9944] [9945] [9946] [9947] [9948] [9949] [9950] [9951] [9952] [9953] [9954] [9955] [9956] [9957] [9958] [9959] [9960] [9961] [9962] [9963] [9964] [9965] [9966] [9967] [9968] [9969] [9970] [9971] [9972] [9973] [9974] [9975] [9976] [9977] [9978] [9979] [9980] [9981] [9982] [9983] [9984] [9985] [9986] [9987] [9988] [9989] [9990] [9991] [9992] [9993] [9994] [9995] [9996] [9997] [9998] [9999] [10000] [10001] [10002] [10003] [10004] [10005] [10006] [10007] [10008] [10009] [10010] [10011] [10012] [10013] [10014] [10015] [10016] [10017] [10018] [10019] [10020] [10021] [10022] [10023] [10024] [10025] [10026] [10027] [10028] [10029] [10030] [10031] [10032] [10033] [10034] [10035] [10036] [10037] [10038] [10039] [10040] [10041] [10042] [10043] [10044] [10045] [10046] [10047] [10048] [10049] [10050] [10051] [10052] [10053] [10054] [10055] [10056] [10057] [10058] [10059] [10060] [10061] [10062] [10063] [10064] [10065] [10066] [10067] [10068] [10069] [10070] [10071] [10072] [10073] [10074] [10075] [10076] [10077] [10078] [10079] [10080] [10081] [10082] [10083] [10084] [10085] [10086] [10087] [10088] [10089] [10090] [10091] [10092] [10093] [10094] [10095] [10096] [10097] [10098] [10099] [10100] [10101] [10102] [10103] [10104] [10105] [10106] [10107] [10108] [10109] [10110] [10111] [10112] [10113] [10114] [10115] [10116] [10117] [10118] [10119] [10120] [10121] [10122] [10123] [10124] [10125] [10126] [10127] [10128] [10129] [10130] [10131] [10132] [10133] [10134] [10135] [10136] [10137] [10138] [10139] [10140] [10141] [10142] [10143] [10144] [10145] [10146] [10147] [10148] [10149] [10150] [10151] [10152] [10153] [10154] [10155] [10156] [10157] [10158] [10159] [10160] [10161] [10162] [10163] [10164] [10165] [10166] [10167] [10168] [10169] [10170] [10171] [10172] [10173] [10174] [10175] [10176] [10177] [10178] [10179] [10180] [10181] [10182] [10183] [10184] [10185] [10186] [10187] [10188] [10189] [10190] [10191] [10192] [10193] [10194] [10195] [10196] [10197] [10198] [10199] [10200] [10201] [10202] [10203] [10204] [10205] [10206] [10207] [10208] [10209] [10210] [10211] [10212] [10213] [10214] [10215] [10216] [10217] [10218] [10219] [10220] [10221] [10222] [10223] [10224] [10225] [10226] [10227] [10228] [10229] [10230] [10231] [10232] [10233] [10234] [10235] [10236] [10237] [10238] [10239] [10240] [10241] [10242] [10243] [10244] [10245] [10246] [10247] [10248] [10249] [10250] [10251] [10252] [10253] [10254] [10255] [10256] [10257] [10258] [10259] [10260] [10261] [10262] [10263] [10264] [10265] [10266] [10267] [10268] [10269] [10270] [10271] [10272] [10273] [10274] [10275] [10276] [10277] [10278] [10279] [10280] [10281] [10282] [10283] [10284] [10285] [10286] [10287] [10288] [10289] [10290] [10291] [10292] [10293] [10294] [10295] [10296] [10297] [10298] [10299] [10300] [10301] [10302] [10303] [10304] [10305] [10306] [10307] [10308] [10309] [10310] [10311] [10312] [10313] [10314] [10315] [10316] [10317] [10318] [10319] [10320] [10321] [10322] [10323] [10324] [10325] [10326] [10327] [10328] [10329] [10330] [10331] [10332] [10333] [10334] [10335] [10336] [10337] [10338] [10339] [10340] [10341] [10342] [10343] [10344] [10345] [10346] [10347] [10348] [10349] [10350] [10351] [10352] [10353] [10354] [10355] [10356] [10357] [10358] [10359] [10360] [10361] [10362] [10363] [10364] [10365] [10366] [10367] [10368] [10369] [10370] [10371] [10372] [10373] [10374] [10375] [10376] [10377] [10378] [10379] [10380] [10381] [10382] [10383] [10384] [10385] [10386] [10387] [10388] [10389] [10390] [10391] [10392] [10393] [10394] [10395] [10396] [10397] [10398] [10399] [10400] [10401] [10402] [10403] [10404] [10405] [10406] [10407] [10408] [10409] [10410] [10411] [10412] [10413] [10414] [10415] [10416] [10417] [10418] [10419] [10420] [10421] [10422] [10423] [10424] [10425] [10426] [10427] [10428] [10429] [10430] [10431] [10432] [10433] [10434] [10435] [10436] [10437] [10438] [10439] [10440] [10441] [10442] [10443] [10444] [10445] [10446] [10447] [10448] [10449] [10450] [10451] [10452] [10453] [10454] [10455] [10456] [10457] [10458] [10459] [10460] [10461] [10462] [10463] [10464] [10465] [10466] [10467] [10468] [10469] [10470] [10471] [10472] [10473] [10474] [10475] [10476] [10477] [10478] [10479] [10480] [10481] [10482] [10483] [10484] [10485] [10486] [10487] [10488] [10489] [10490] [10491] [10492] [10493] [10494] [10495] [10496] [10497] [10498] [10499] [10500] [10501] [10502] [10503] [10504] [10505] [10506] [10507] [10508] [10509] [10510] [10511] [10512] [10513] [10514] [10515] [10516] [10517] [10518] [10519] [10520] [10521] [10522] [10523] [10524] [10525] [10526] [10527] [10528] [10529] [10530] [10531] [10532] [10533] [10534] [10535] [10536] [10537] [10538] [10539] [10540] [10541] [10542] [10543] [10544] [10545] [10546] [10547] [10548] [10549] [10550] [10551] [10552] [10553] [10554] [10555] [10556] [10557] [10558] [10559] [10560] [10561] [10562] [10563] [10564] [10565] [10566] [10567] [10568] [10569] [10570] [10571] [10572] [10573] [10574] [10575] [10576] [10577] [10578] [10579] [10580] [10581] [10582] [10583] [10584] [10585] [10586] [10587] [10588] [10589] [10590] [10591] [10592] [10593] [10594] [10595] [10596] [10597] [10598] [10599] [10600] [10601] [10602] [10603] [10604] [10605] [10606] [10607] [10608] [10609] [10610] [10611] [10612] [10613] [10614] [10615] [10616] [10617] [10618] [10619] [10620] [10621] [10622] [10623] [10624] [10625] [10626] [10627] [10628] [10629] [10630] [10631] [10632] [10633] [10634] [10635] [10636] [10637] [10638] [10639] [10640] [10641] [10642] [10643] [10644] [10645] [10646] [10647] [10648] [10649] [10650] [10651] [10652] [10653] [10654] [10655] [10656] [10657] [10658] [10659] [10660] [10661] [10662] [10663] [10664] [10665] [10666] [10667] [10668] [10669] [10670] [10671] [10672] [10673] [10674] [10675] [10676] [10677] [10678] [10679] [10680] [10681] [10682] [10683] [10684] [10685] [10686] [10687] [10688] [10689] [10690] [10691] [10692] [10693] [10694] [10695] [10696] [10697] [10698] [10699] [10700] [10701] [10702] [10703] [10704] [10705] [10706] [10707] [10708] [10709] [10710] [10711] [10712] [10713] [10714] [10715] [10716] [10717] [10718] [10719] [10720] [10721] [10722] [10723] [10724] [10725] [10726] [10727] [10728] [10729] [10730] [10731] [10732] [10733] [10734] [10735] [10736] [10737] [10738] [10739] [10740] [10741] [10742] [10743] [10744] [10745] [10746] [10747] [10748] [10749] [10750] [10751] [10752] [10753] [10754] [10755] [10756] [10757] [10758] [10759] [10760] [10761] [10762] [10763] [10764] [10765] [10766] [10767] [10768] [10769] [10770] [10771] [10772] [10773] [10774] [10775] [10776] [10777] [10778] [10779] [10780] [10781] [10782] [10783] [10784] [10785] [10786] [10787] [10788] [10789] [10790] [10791] [10792] [10793] [10794] [10795] [10796] [10797] [10798] [10799] [10800] [10801] [10802] [10803] [10804] [10805] [10806] [10807] [10808] [10809] [10810] [10811] [10812] [10813] [10814] [10815] [10816] [10817] [10818] [10819] [10820] [10821] [10822] [10823] [10824] [10825] [10826] [10827] [10828] [10829] [10830] [10831] [10832] [10833] [10834] [10835] [10836] [10837] [10838] [10839] [10840] [10841] [10842] [10843] [10844] [10845] [10846] [10847] [10848] [10849] [10850] [10851] [10852] [10853] [10854] [10855] [10856] [10857] [10858] [10859] [10860] [10861] [10862] [10863] [10864] [10865] [10866] [10867] [10868] [10869] [10870] [10871] [10872] [10873] [10874] [10875] [10876] [10877] [10878] [10879] [10880] [10881] [10882] [10883] [10884] [10885] [10886] [10887] [10888] [10889] [10890] [10891] [10892] [10893] [10894] [10895] [10896] [10897] [10898] [10899] [10900] [10901] [10902] [10903] [10904] [10905] [10906] [10907] [10908] [10909] [10910] [10911] [10912] [10913] [10914] [10915] [10916] [10917] [10918] [10919] [10920] [10921] [10922] [10923] [10924] [10925] [10926] [10927] [10928] [10929] [10930] [10931] [10932] [10933] [10934] [10935] [10936] [10937] [10938] [10939] [10940] [10941] [10942] [10943] [10944] [10945] [10946] [10947] [10948] [10949] [10950] [10951] [10952] [10953] [10954] [10955] [10956] [10957] [10958] [10959] [10960] [10961] [10962] [10963] [10964] [10965] [10966] [10967] [10968] [10969] [10970] [10971] [10972] [10973] [10974] [10975] [10976] [10977] [10978] [10979] [10980] [10981] [10982] [10983] [10984] [10985] [10986] [10987] [10988] [10989] [10990] [10991] [10992] [10993] [10994] [10995] [10996] [10997] [10998] [10999] [11000] [11001] [11002] [11003] [11004] [11005] [11006] [11007] [11008] [11009] [11010] [11011] [11012] [11013] [11014] [11015] [11016] [11017] [11018] [11019] [11020] [11021] [11022] [11023] [11024] [11025] [11026] [11027] [11028] [11029] [11030] [11031] [11032] [11033] [11034] [11035] [11036] [11037] [11038] [11039] [11040] [11041] [11042] [11043] [11044] [11045] [11046] [11047] [11048] [11049] [11050] [11051] [11052] [11053] [11054] [11055] [11056] [11057] [11058] [11059] [11060] [11061] [11062] [11063] [11064] [11065] [11066] [11067] [11068] [11069] [11070] [11071] [11072] [11073] [11074] [11075] [11076] [11077] [11078] [11079] [11080] [11081] [11082] [11083] [11084] [11085] [11086] [11087] [11088] [11089] [11090] [11091] [11092] [11093] [11094] [11095] [11096] [11097] [11098] [11099] [11100] [11101] [11102] [11103] [11104] [11105] [11106] [11107] [11108] [11109] [11110] [11111] [11112] [11113] [11114] [11115] [11116] [11117] [11118] [11119] [11120] [11121] [11122] [11123] [11124] [11125] [11126] [11127] [11128] [11129] [11130] [11131] [11132] [11133] [11134] [11135] [11136] [11137] [11138] [11139] [11140] [11141] [11142] [11143] [11144] [11145] [11146] [11147] [11148] [11149] [11150] [11151] [11152] [11153] [11154] [11155] [11156] [11157] [11158] [11159] [11160] [11161] [11162] [11163] [11164] [11165] [11166] [11167] [11168] [11169] [11170] [11171] [11172] [11173] [11174] [11175] [11176] [11177] [11178] [11179] [11180] [11181] [11182] [11183] [11184] [11185] [11186] [11187] [11188] [11189] [11190] [11191] [11192] [11193] [11194] [11195] [11196] [11197] [11198] [11199] [11200] [11201] [11202] [11203] [11204] [11205] [11206] [11207] [11208] [11209] [11210] [11211] [11212] [11213] [11214] [11215] [11216] [11217] [11218] [11219] [11220] [11221] [11222] [11223] [11224] [11225] [11226] [11227] [11228] [11229] [11230] [11231] [11232] [11233] [11234] [11235] [11236] [11237] [11238] [11239] [11240] [11241] [11242] [11243] [11244] [11245] [11246] [11247] [11248] [11249] [11250] [11251] [11252] [11253] [11254] [11255] [11256] [11257] [11258] [11259] [11260] [11261] [11262] [11263] [11264] [11265] [11266] [11267] [11268] [11269] [11270] [11271] [11272] [11273] [11274] [11275] [11276] [11277] [11278] [11279] [11280] [11281] [11282] [11283] [11284] [11285] [11286] [11287] [11288] [11289] [11290] [11291] [11292] [11293] [11294] [11295] [11296] [11297] [11298] [11299] [11300] [11301] [11302] [11303] [11304] [11305] [11306] [11307] [11308] [11309] [11310] [11311] [11312] [11313] [11314] [11315] [11316] [11317] [11318] [11319] [11320] [11321] [11322] [11323] [11324] [11325] [11326] [11327] [11328] [11329] [11330] [11331] [11332] [11333] [11334] [11335] [11336] [11337] [11338] [11339] [11340] [11341] [11342] [11343] [11344] [11345] [11346] [11347] [11348] [11349] [11350] [11351] [11352] [11353] [11354] [11355] [11356] [11357] [11358] [11359] [11360] [11361] [11362] [11363] [11364] [11365] [11366] [11367] [11368] [11369] [11370] [11371] [11372] [11373] [11374] [11375] [11376] [11377] [11378] [11379] [11380] [11381] [11382] [11383] [11384] [11385] [11386] [11387] [11388] [11389] [11390] [11391] [11392] [11393] [11394] [11395] [11396] [11397] [11398] [11399] [11400] [11401] [11402] [11403] [11404] [11405] [11406] [11407] [11408] [11409] [11410] [11411] [11412] [11413] [11414] [11415] [11416] [11417] [11418] [11419] [11420] [11421] [11422] [11423] [11424] [11425] [11426] [11427] [11428] [11429] [11430] [11431] [11432] [11433] [11434] [11435] [11436] [11437] [11438] [11439] [11440] [11441] [11442] [11443] [11444] [11445] [11446] [11447] [11448] [11449] [11450] [11451] [11452] [11453] [11454] [11455] [11456] [11457] [11458] [11459] [11460] [11461] [11462] [11463] [11464] [11465] [11466] [11467] [11468] [11469] [11470] [11471] [11472] [11473] [11474] [11475] [11476] [11477] [11478] [11479] [11480] [11481] [11482] [11483] [11484] [11485] [11486] [11487] [11488] [11489] [11490] [11491] [11492] [11493] [11494] [11495] [11496] [11497] [11498] [11499] [11500] [11501] [11502] [11503] [11504] [11505] [11506] [11507] [11508] [11509] [11510] [11511] [11512] [11513] [11514] [11515] [11516] [11517] [11518] [11519] [11520] [11521] [11522] [11523] [11524] [11525] [11526] [11527] [11528] [11529] [11530] [11531] [11532] [11533] [11534] [11535] [11536] [11537] [11538] [11539] [11540] [11541] [11542] [11543] [11544] [11545] [11546] [11547] [11548] [11549] [11550] [11551] [11552] [11553] [11554] [11555] [11556] [11557] [11558] [11559] [11560] [11561] [11562] [11563] [11564] [11565] [11566] [11567] [11568] [11569] [11570] [11571] [11572] [11573] [11574] [11575] [11576] [11577] [11578] [11579] [11580] [11581] [11582] [11583] [11584] [11585] [11586] [11587] [11588] [11589] [11590] [11591] [11592] [11593] [11594] [11595] [11596] [11597] [11598] [11599] [11600] [11601] [11602] [11603] [11604] [11605] [11606] [11607] [11608] [11609] [11610] [11611] [11612] [11613] [11614] [11615] [11616] [11617] [11618] [11619] [11620] [11621] [11622] [11623] [11624] [11625] [11626] [11627] [11628] [11629] [11630] [11631] [11632] [11633] [11634] [11635] [11636] [11637] [11638] [11639] [11640] [11641] [11642] [11643] [11644] [11645] [11646] [11647] [11648] [11649] [11650] [11651] [11652] [11653] [11654] [11655] [11656] [11657] [11658] [11659] [11660] [11661] [11662] [11663] [11664] [11665] [11666] [11667] [11668] [11669] [11670] [11671] [11672] [11673] [11674] [11675] [11676] [11677] [11678] [11679] [11680] [11681] [11682] [11683] [11684] [11685] [11686] [11687] [11688] [11689] [11690] [11691] [11692] [11693] [11694] [11695] [11696] [11697] [11698] [11699] [11700] [11701] [11702] [11703] [11704] [11705] [11706] [11707] [11708] [11709] [11710] [11711] [11712] [11713] [11714] [11715] [11716] [11717] [11718] [11719] [11720] [11721] [11722] [11723] [11724] [11725] [11726] [11727] [11728] [11729] [11730] [11731] [11732] [11733] [11734] [11735] [11736] [11737] [11738] [11739] [11740] [11741] [11742] [11743] [11744] [11745] [11746] [11747] [11748] [11749] [11750] [11751] [11752] [11753] [11754] [11755] [11756] [11757] [11758] [11759] [11760] [11761] [11762] [11763] [11764] [11765] [11766] [11767] [11768] [11769] [11770] [11771] [11772] [11773] [11774] [11775] [11776] [11777] [11778] [11779] [11780] [11781] [11782] [11783] [11784] [11785] [11786] [11787] [11788] [11789] [11790] [11791] [11792] [11793] [11794] [11795] [11796] [11797] [11798] [11799] [11800] [11801] [11802] [11803] [11804] [11805] [11806] [11807] [11808] [11809] [11810] [11811] [11812] [11813] [11814] [11815] [11816] [11817] [11818] [11819] [11820] [11821] [11822] [11823] [11824] [11825] [11826] [11827] [11828] [11829] [11830] [11831] [11832] [11833] [11834] [11835] [11836] [11837] [11838] [11839] [11840] [11841] [11842] [11843] [11844] [11845] [11846] [11847] [11848] [11849] [11850] [11851] [11852] [11853] [11854] [11855] [11856] [11857] [11858] [11859] [11860] [11861] [11862] [11863] [11864] [11865] [11866] [11867] [11868] [11869] [11870] [11871] [11872] [11873] [11874] [11875] [11876] [11877] [11878] [11879] [11880] [11881] [11882] [11883] [11884] [11885] [11886] [11887] [11888] [11889] [11890] [11891] [11892] [11893] [11894] [11895] [11896] [11897] [11898] [11899] [11900] [11901] [11902] [11903] [11904] [11905] [11906] [11907] [11908] [11909] [11910] [11911] [11912] [11913] [11914] [11915] [11916] [11917] [11918] [11919] [11920] [11921] [11922] [11923] [11924] [11925] [11926] [11927] [11928] [11929] [11930] [11931] [11932] [11933] [11934] [11935] [11936] [11937] [11938] [11939] [11940] [11941] [11942] [11943] [11944] [11945] [11946] [11947] [11948] [11949] [11950] [11951] [11952] [11953] [11954] [11955] [11956] [11957] [11958] [11959] [11960] [11961] [11962] [11963] [11964] [11965] [11966] [11967] [11968] [11969] [11970] [11971] [11972] [11973] [11974] [11975] [11976] [11977] [11978] [11979] [11980] [11981] [11982] [11983] [11984] [11985] [11986] [11987] [11988] [11989] [11990] [11991] [11992] [11993] [11994] [11995] [11996] [11997] [11998] [11999] [12000] [12001] [12002] [12003] [12004] [12005] [12006] [12007] [12008] [12009] [12010] [12011] [12012] [12013] [12014] [12015] [12016] [12017] [12018] [12019] [12020] [12021] [12022] [12023] [12024] [12025] [12026] [12027] [12028] [12029] [12030] [12031] [12032] [12033] [12034] [12035] [12036] [12037] [12038] [12039] [12040] [12041] [12042] [12043] [12044] [12045] [12046] [12047] [12048] [12049] [12050] [12051] [12052] [12053] [12054] [12055] [12056] [12057] [12058] [12059] [12060] [12061] [12062] [12063] [12064] [12065] [12066] [12067] [12068] [12069] [12070] [12071] [12072] [12073] [12074] [12075] [12076] [12077] [12078] [12079] [12080] [12081] [12082] [12083] [12084] [12085] [12086] [12087] [12088] [12089] [12090] [12091] [12092] [12093] [12094] [12095] [12096] [12097] [12098] [12099] [12100] [12101] [12102] [12103] [12104] [12105] [12106] [12107] [12108] [12109] [12110] [12111] [12112] [12113] [12114] [12115] [12116] [12117] [12118] [12119] [12120] [12121] [12122] [12123] [12124] [12125] [12126] [12127] [12128] [12129] [12130] [12131] [12132] [12133] [12134] [12135] [12136] [12137] [12138] [12139] [12140] [12141] [12142] [12143] [12144] [12145] [12146] [12147] [12148] [12149] [12150] [12151] [12152] [12153] [12154] [12155] [12156] [12157] [12158] [12159] [12160] [12161] [12162] [12163] [12164] [12165] [12166] [12167] [12168] [12169] [12170] [12171] [12172] [12173] [12174] [12175] [12176] [12177] [12178] [12179] [12180] [12181] [12182] [12183] [12184] [12185] [12186] [12187] [12188] [12189] [12190] [12191] [12192] [12193] [12194] [12195] [12196] [12197] [12198] [12199] [12200] [12201] [12202] [12203] [12204] [12205] [12206] [12207] [12208] [12209] [12210] [12211] [12212] [12213] [12214] [12215] [12216] [12217] [12218] [12219] [12220] [12221] [12222] [12223] [12224] [12225] [12226] [12227] [12228] [12229] [12230] [12231] [12232] [12233] [12234] [12235] [12236] [12237] [12238] [12239] [12240] [12241] [12242] [12243] [12244] [12245] [12246] [12247] [12248] [12249] [12250] [12251] [12252] [12253] [12254] [12255] [12256] [12257] [12258] [12259] [12260] [12261] [12262] [12263] [12264] [12265] [12266] [12267] [12268] [12269] [12270] [12271] [12272] [12273] [12274] [12275] [12276] [12277] [12278] [12279] [12280] [12281] [12282] [12283] [12284] [12285] [12286] [12287] [12288] [12289] [12290] [12291] [12292] [12293] [12294] [12295] [12296] [12297] [12298] [12299] [12300] [12301] [12302] [12303] [12304] [12305] [12306] [12307] [12308] [12309] [12310] [12311] [12312] [12313] [12314] [12315] [12316] [12317] [12318] [12319] [12320] [12321] [12322] [12323] [12324] [12325] [12326] [12327] [12328] [12329] [12330] [12331] [12332] [12333] [12334] [12335] [12336] [12337] [12338] [12339] [12340] [12341] [12342] [12343] [12344] [12345] [12346] [12347] [12348] [12349] [12350] [12351] [12352] [12353] [12354] [12355] [12356] [12357] [12358] [12359] [12360] [12361] [12362] [12363] [12364] [12365] [12366] [12367] [12368] [12369] [12370] [12371] [12372] [12373] [12374] [12375] [12376] [12377] [12378] [12379] [12380] [12381] [12382] [12383] [12384] [12385] [12386] [12387] [12388] [12389] [12390] [12391] [12392] [12393] [12394] [12395] [12396] [12397] [12398] [12399] [12400] [12401] [12402] [12403] [12404] [12405] [12406] [12407] [12408] [12409] [12410] [12411] [12412] [12413] [12414] [12415] [12416] [12417] [12418] [12419] [12420] [12421] [12422] [12423] [12424] [12425] [12426] [12427] [12428] [12429] [12430] [12431] [12432] [12433] [12434] [12435] [12436] [12437] [12438] [12439] [12440] [12441] [12442] [12443] [12444] [12445] [12446] [12447] [12448] [12449] [12450] [12451] [12452] [12453] [12454] [12455] [12456] [12457] [12458] [12459] [12460] [12461] [12462] [12463] [12464] [12465] [12466] [12467] [12468] [12469] [12470] [12471] [12472] [12473] [12474] [12475] [12476] [12477] [12478] [12479] [12480] [12481] [12482] [12483] [12484] [12485] [12486] [12487] [12488] [12489] [12490] [12491] [12492] [12493] [12494] [12495] [12496] [12497] [12498] [12499] [12500] [12501] [12502] [12503] [12504] [12505] [12506] [12507] [12508] [12509] [12510] [12511] [12512] [12513] [12514] [12515] [12516] [12517] [12518] [12519] [12520] [12521] [12522] [12523] [12524] [12525] [12526] [12527] [12528] [12529] [12530] [12531] [12532] [12533] [12534] [12535] [12536] [12537] [12538] [12539] [12540] [12541] [12542] [12543] [12544] [12545] [12546] [12547] [12548] [12549] [12550] [12551] [12552] [12553] [12554] [12555] [12556] [12557] [12558] [12559] [12560] [12561] [12562] [12563] [12564] [12565] [12566] [12567] [12568] [12569] [12570] [12571] [12572] [12573] [12574] [12575] [12576] [12577] [12578] [12579] [12580] [12581] [12582] [12583] [12584] [12585] [12586] [12587] [12588] [12589] [12590] [12591] [12592] [12593] [12594] [12595] [12596] [12597] [12598] [12599] [12600] [12601] [12602] [12603] [12604] [12605] [12606] [12607] [12608] [12609] [12610] [12611] [12612] [12613] [12614] [12615] [12616] [12617] [12618] [12619] [12620] [12621] [12622] [12623] [12624] [12625] [12626] [12627] [12628] [12629] [12630] [12631] [12632] [12633] [12634] [12635] [12636] [12637] [12638] [12639] [12640] [12641] [12642] [12643] [12644] [12645] [12646] [12647] [12648] [12649] [12650] [12651] [12652] [12653] [12654] [12655] [12656] [12657] [12658] [12659] [12660] [12661] [12662] [12663] [12664] [12665] [12666] [12667] [12668] [12669] [12670] [12671] [12672] [12673] [12674] [12675] [12676] [12677] [12678] [12679] [12680] [12681] [12682] [12683] [12684] [12685] [12686] [12687] [12688] [12689] [12690] [12691] [12692] [12693] [12694] [12695] [12696] [12697] [12698] [12699] [12700] [12701] [12702] [12703] [12704] [12705] [12706] [12707] [12708] [12709] [12710] [12711] [12712] [12713] [12714] [12715] [12716] [12717] [12718] [12719] [12720] [12721] [12722] [12723] [12724] [12725] [12726] [12727] [12728] [12729] [12730] [12731] [12732] [12733] [12734] [12735] [12736] [12737] [12738] [12739] [12740] [12741] [12742] [12743] [12744] [12745] [12746] [12747] [12748] [12749] [12750] [12751] [12752] [12753] [12754] [12755] [12756] [12757] [12758] [12759] [12760] [12761] [12762] [12763] [12764] [12765] [12766] [12767] [12768] [12769] [12770] [12771] [12772] [12773] [12774] [12775] [12776] [12777] [12778] [12779] [12780] [12781] [12782] [12783] [12784] [12785] [12786] [12787] [12788] [12789] [12790] [12791] [12792] [12793] [12794] [12795] [12796] [12797] [12798] [12799] [12800] [12801] [12802] [12803] [12804] [12805] [12806] [12807] [12808] [12809] [12810] [12811] [12812] [12813] [12814] [12815] [12816] [12817] [12818] [12819] [12820] [12821] [12822] [12823] [12824] [12825] [12826] [12827] [12828] [12829] [12830] [12831] [12832] [12833] [12834] [12835] [12836] [12837] [12838] [12839] [12840] [12841] [12842] [12843] [12844] [12845] [12846] [12847] [12848] [12849] [12850] [12851] [12852] [12853] [12854] [12855] [12856] [12857] [12858] [12859] [12860] [12861] [12862] [12863] [12864] [12865] [12866] [12867] [12868] [12869] [12870] [12871] [12872] [12873] [12874] [12875] [12876] [12877] [12878] [12879] [12880] [12881] [12882] [12883] [12884] [12885] [12886] [12887] [12888] [12889] [12890] [12891] [12892] [12893] [12894] [12895] [12896] [12897] [12898] [12899] [12900] [12901] [12902] [12903] [12904] [12905] [12906] [12907] [12908] [12909] [12910] [12911] [12912] [12913] [12914] [12915] [12916] [12917] [12918] [12919] [12920] [12921] [12922] [12923] [12924] [12925] [12926] [12927] [12928] [12929] [12930] [12931] [12932] [12933] [12934] [12935] [12936] [12937] [12938] [12939] [12940] [12941] [12942] [12943] [12944] [12945] [12946] [12947] [12948] [12949] [12950] [12951] [12952] [12953] [12954] [12955] [12956] [12957] [12958] [12959] [12960] [12961] [12962] [12963] [12964] [12965] [12966] [12967] [12968] [12969] [12970] [12971] [12972] [12973] [12974] [12975] [12976] [12977] [12978] [12979] [12980] [12981] [12982] [12983] [12984] [12985] [12986] [12987] [12988] [12989] [12990] [12991] [12992] [12993] [12994] [12995] [12996] [12997] [12998] [12999] [13000] [13001] [13002] [13003] [13004] [13005] [13006] [13007] [13008] [13009] [13010] [13011] [13012] [13013] [13014] [13015] [13016] [13017] [13018] [13019] [13020] [13021] [13022] [13023] [13024] [13025] [13026] [13027] [13028] [13029] [13030] [13031] [13032] [13033] [13034] [13035] [13036] [13037] [13038] [13039] [13040] [13041] [13042] [13043] [13044] [13045] [13046] [13047] [13048] [13049] [13050] [13051] [13052] [13053] [13054] [13055] [13056] [13057] [13058] [13059] [13060] [13061] [13062] [13063] [13064] [13065] [13066] [13067] [13068] [13069] [13070] [13071] [13072] [13073] [13074] [13075] [13076] [13077] [13078] [13079] [13080] [13081] [13082] [13083] [13084] [13085] [13086] [13087] [13088] [13089] [13090] [13091] [13092] [13093] [13094] [13095] [13096] [13097] [13098] [13099] [13100] [13101] [13102] [13103] [13104] [13105] [13106] [13107] [13108] [13109] [13110] [13111] [13112] [13113] [13114] [13115] [13116] [13117] [13118] [13119] [13120] [13121] [13122] [13123] [13124] [13125] [13126] [13127] [13128] [13129] [13130] [13131] [13132] [13133] [13134] [13135] [13136] [13137] [13138] [13139] [13140] [13141] [13142] [13143] [13144] [13145] [13146] [13147] [13148] [13149] [13150] [13151] [13152] [13153] [13154] [13155] [13156] [13157] [13158] [13159] [13160] [13161] [13162] [13163] [13164] [13165] [13166] [13167] [13168] [13169] [13170] [13171] [13172] [13173] [13174] [13175] [13176] [13177] [13178] [13179] [13180] [13181] [13182] [13183] [13184] [13185] [13186] [13187] [13188] [13189] [13190] [13191] [13192] [13193] [13194] [13195] [13196] [13197] [13198] [13199] [13200] [13201] [13202] [13203] [13204] [13205] [13206] [13207] [13208] [13209] [13210] [13211] [13212] [13213] [13214] [13215] [13216] [13217] [13218] [13219] [13220] [13221] [13222] [13223] [13224] [13225] [13226] [13227] [13228] [13229] [13230] [13231] [13232] [13233] [13234] [13235] [13236] [13237] [13238] [13239] [13240] [13241] [13242] [13243] [13244] [13245] [13246] [13247] [13248] [13249] [13250] [13251] [13252] [13253] [13254] [13255] [13256] [13257] [13258] [13259] [13260] [13261] [13262] [13263] [13264] [13265] [13266] [13267] [13268] [13269] [13270] [13271] [13272] [13273] [13274] [13275] [13276] [13277] [13278] [13279] [13280] [13281] [13282] [13283] [13284] [13285] [13286] [13287] [13288] [13289] [13290] [13291] [13292] [13293] [13294] [13295] [13296] [13297] [13298] [13299] [13300] [13301] [13302] [13303] [13304] [13305] [13306] [13307] [13308] [13309] [13310] [13311] [13312] [13313] [13314] [13315] [13316] [13317] [13318] [13319] [13320] [13321] [13322] [13323] [13324] [13325] [13326] [13327] [13328] [13329] [13330] [13331] [13332] [13333] [13334] [13335] [13336] [13337] [13338] [13339] [13340] [13341] [13342] [13343] [13344] [13345] [13346] [13347] [13348] [13349] [13350] [13351] [13352] [13353] [13354] [13355] [13356] [13357] [13358] [13359] [13360] [13361] [13362] [13363] [13364] [13365] [13366] [13367] [13368] [13369] [13370] [13371] [13372] [13373] [13374] [13375] [13376] [13377] [13378] [13379] [13380] [13381] [13382] [13383] [13384] [13385] [13386] [13387] [13388] [13389] [13390] [13391] [13392] [13393] [13394] [13395] [13396] [13397] [13398] [13399] [13400] [13401] [13402] [13403] [13404] [13405] [13406] [13407] [13408] [13409] [13410] [13411] [13412] [13413] [13414] [13415] [13416] [13417] [13418] [13419] [13420] [13421] [13422] [13423] [13424] [13425] [13426] [13427] [13428] [13429] [13430] [13431] [13432] [13433] [13434] [13435] [13436] [13437] [13438] [13439] [13440] [13441] [13442] [13443] [13444] [13445] [13446] [13447] [13448] [13449] [13450] [13451] [13452] [13453] [13454] [13455] [13456] [13457] [13458] [13459] [13460] [13461] [13462] [13463] [13464] [13465] [13466] [13467] [13468] [13469] [13470] [13471] [13472] [13473] [13474] [13475] [13476] [13477] [13478] [13479] [13480] [13481] [13482] [13483] [13484] [13485] [13486] [13487] [13488] [13489] [13490] [13491] [13492] [13493] [13494] [13495] [13496] [13497] [13498] [13499] [13500] [13501] [13502] [13503] [13504] [13505] [13506] [13507] [13508] [13509] [13510] [13511] [13512] [13513] [13514] [13515] [13516] [13517] [13518] [13519] [13520] [13521] [13522] [13523] [13524] [13525] [13526] [13527] [13528] [13529] [13530] [13531] [13532] [13533] [13534] [13535] [13536] [13537] [13538] [13539] [13540] [13541] [13542] [13543] [13544] [13545] [13546] [13547] [13548] [13549] [13550] [13551] [13552] [13553] [13554] [13555] [13556] [13557] [13558] [13559] [13560] [13561] [13562] [13563] [13564] [13565] [13566] [13567] [13568] [13569] [13570] [13571] [13572] [13573] [13574] [13575] [13576] [13577] [13578] [13579] [13580] [13581] [13582] [13583] [13584] [13585] [13586] [13587] [13588] [13589] [13590] [13591] [13592] [13593] [13594] [13595] [13596] [13597] [13598] [13599] [13600] [13601] [13602] [13603] [13604] [13605] [13606] [13607] [13608] [13609] [13610] [13611] [13612] [13613] [13614] [13615] [13616] [13617] [13618] [13619] [13620] [13621] [13622] [13623] [13624] [13625] [13626] [13627] [13628] [13629] [13630] [13631] [13632] [13633] [13634] [13635] [13636] [13637] [13638] [13639] [13640] [13641] [13642] [13643] [13644] [13645] [13646] [13647] [13648] [13649] [13650] [13651] [13652] [13653] [13654] [13655] [13656] [13657] [13658] [13659] [13660] [13661] [13662] [13663] [13664] [13665] [13666] [13667] [13668] [13669] [13670] [13671] [13672] [13673] [13674] [13675] [13676] [13677] [13678] [13679] [13680] [13681] [13682] [13683] [13684] [13685] [13686] [13687] [13688] [13689] [13690] [13691] [13692] [13693] [13694] [13695] [13696] [13697] [13698] [13699] [13700] [13701] [13702] [13703] [13704] [13705] [13706] [13707] [13708] [13709] [13710] [13711] [13712] [13713] [13714] [13715] [13716] [13717] [13718] [13719] [13720] [13721] [13722] [13723] [13724] [13725] [13726] [13727] [13728] [13729] [13730] [13731] [13732] [13733] [13734] [13735] [13736] [13737] [13738] [13739] [13740] [13741] [13742] [13743] [13744] [13745] [13746] [13747] [13748] [13749] [13750] [13751] [13752] [13753] [13754] [13755] [13756] [13757] [13758] [13759] [13760] [13761] [13762] [13763] [13764] [13765] [13766] [13767] [13768] [13769] [13770]
<!DOCTYPE html> <!-- WASDOC AXP-2.0.0 (CGILIB AXP-1.9.9) --> <!-- wasDOC Copyright (C) 2019,2020 Mark G.Daniel - Apache-2.0 licenced --> <!-- 3-NOV-2021 02:50 --> <noscript>NOTE: SOME FUNCTIONALITY EMPLOYS JAVASCRIPT</noscript> <div id="erreport1" style="display:none;"></div> <script> function errorReport(string) { for (var cnt = 1; cnt <= 2; cnt++) { var err = document.getElementById('erreport'+cnt); err.style.display = 'block'; err.innerHTML += string; } } </script> <style type="text/css"> html { font-family: arial, verdana, sans-serif; font-size:12pt; margin:1em; } h1 { font-size:124%; font-style:bold; margin-top:1em; margin-bottom:0.5em; } h2 { font-size:120%; font-style:bold; margin-top:1.1em; margin-bottom:0.4em; } h3 { font-size:116%; font-style:bold; margin-top:1.0em; margin-bottom:0.3em; } h4 { font-size:112%; font-style:bold; margin-top:1.1em; margin-bottom:0.3em; } h5 { font-size:112%; font-style:bold; margin-top:1.1em; margin-bottom:0.3em; } h6 { font-size:112%; font-style:bold; padding:0; margin:0; } h1 .text { text-decoration:underline; } h1 .numb { padding-right:0.8em; } h1 .numb:empty { display:none; padding-right:0; } h2 .numb { padding-right:0.8em; } h2 .numb:empty { display:none; padding-right:0; } h3 .numb { padding-right:0.8em; } h3 .numb:empty { display:none; padding-right:0; } h4 .numb { padding-right:0.8em; } h4 .numb:empty { display:none; padding-right:0; } h5 .numb { display:none; padding-right:0; } h6 .numb { display:none; padding-right:0; } kbd { font-family:monospace; } noscript { font-size:1.2em; } p { line-height:1.1em; margin-top:1em; margin-bottom:1em; } .chunk { font-size:130%; text-decoration:underline; } .head {} .high {} .bold { font-weight:bold; } .center { text-align:center; } .italic { font-style:italic; } .left { text-align:left; } .nowrap { white-space:nowrap; } .prewrap { white-space:pre; } .right { text-align:right; } .strike { text-decoration:line-through; } .under { text-decoration:underline; } .backlight { background-color:#f2f2f2; } .display0 { display:none; } img { max-width:100%; } .imglink { } .link { } .blank { } .list { margin-bottom:1em; } .list li { margin-top:0.5em; } .list0 li { margin-top:0; } .item {} .tabl { border-collapse:collapse; text-align:left; margin:0.4em 2em 0.5em 2em; } .tabu { border-collapse:collapse; text-align:right; margin:0.4em 2em 0.5em 2em; } .tabr { vertical-align:top; } .tabh { padding:0.2em 0 0 2em; margin:0; } .tabd { padding:0.1em 0 0 2em; margin:0; } .tabh:first-of-type, td:first-of-type { padding-left:0; } .tabu .tabh, .tabu .tabd { border:1px solid gray; padding:0.2em 0.3em 0.2em 0.3em; } .tab0 { border:none; visibility:hidden; max-width:1em; white-space:nowrap; overflow:hidden; } .tabauto { margin-left:auto; margin-right:auto; } .tabr:empty { height:0.2em; } .tabu .tabh:empty, .tabu .tabd:empty { border:none; visibility:hidden; } .error { font-size:110%; color:black; background-color:yellow; font-family:sans-serif; font-weight:bold; font-style:normal; width:95%; border:solid 1px gray; padding:0.5em 1em 0.5em 1em; } .error::before { content:'\026a0\00a0'; } .image { } .page { width:98%; border:1px dashed gray; margin:1.5em 0 1.8em 0; } .epage { width:98%; border:1px dashed black; margin:1.5em 0 1.8em 0; } .monosp { font-family:monospace; } .ppage { display:none; } .simple { list-style-type:none; } .valtop { vertical-align:top; } .valmid { vertical-align:middle; } .valbot { vertical-align:bottom; } .code { border-style:solid; border-width:0 0 0 1px; padding-left:1em; font-family:monospace; white-space:pre; } .block { } .blockof { margin:0.4em 2em 0.5em 2em; } .example { border-style:dashed; border-width:0 0 0 1px; padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; white-space:pre; } .indent { margin-left:2em; margin-right:2em; } .noindent { margin-left:0; margin-right:0; } .inblock { display:inline-block; } .mono { white-space:pre; font-family:monospace; } .note { margin:0.4em 2em 0.5em 2em; page-break-inside:avoid; } .note h5 { margin-top:0 } .note_hr { width:80%; border:1px solid gray; } .prop { padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; } .quote { border-style:dashed; border-width:0 0 0 1px; padding-left:1em; margin-top:0.5em; margin-bottom:0.5em; } .this { display:none; } a:link,a:visited { color:black; text-decoration:none; } a:hover,a:active { text-decoration:underline; } a:focus { outline:0; } :target:before { content:''; display:block; height:0.1em; margin:-0.1em; } a.link:link, a.link:visited,a.link:active { color:midnightBlue; text-decoration:underline; text-decoration-style:solid; } .TOC1cols1 { width:80%; max-width:80%; } .TOC1cols2 { column-count:2; width:80%; max-width:80%; } .TOC1cols3 { column-count:3; max-width:90%; max-width:90%; } .TOC1cols4 { column-count:4; max-width:100%; max-width:100%; } .TOC1table { margin-left:2em; white-space:nowrap; break-inside:auto; } .TOC1table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .TOC1table td+td { padding:0 0 0 0.5em; } .TOC1table .numb { width:3em; max-width:3em; } .TOC1table .sepr { width:5em; max-width:6em; overflow:hidden; } .TOC1table .majr { font-weight:bold; } .TOC1table .text { white-space:normal; } /* These are due to Firefox (at least <= 76) recalcitrant multi-column handling. Web search "Split table into css columns, issue in Firefox" (stackoverflow). "Good grief, Charlie Brown!" */ .TOC1cols2 table, .TOC1cols2 tbody, .TOC1cols2 tr, .TOC1cols3 table, .TOC1cols3 tbody, .TOC1cols3 tr, .TOC1cols4 table, .TOC1cols4 tbody, .TOC1cols4 tr { display:block; padding:0; } .TOC2cols1 { width:60%; max-width:60%; } .TOC2cols2 { column-count:2; width:70%; max-width:70%; } .TOC2cols3 { column-count:3; width:80%; max-width:80%; } .TOC2cols4 { column-count:4; width:90%; max-width:90%; } .TOC2table { margin-left:2em; white-space:nowrap; break-inside:auto; } .TOC2table tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .TOC2table .numb { font-weight:bold; padding-right:0.5em; } .TOC2table .text { width:100%; white-space:normal; } /* see "recalcitrant" above */ .TOC2cols2 table, .TOC2cols2 tbody, .TOC2cols2 tr, .TOC2cols3 table, .TOC2cols3 tbody, .TOC2cols3 tr, .TOC2cols4 table, .TOC2cols4 tbody, .TOC2cols4 tr { display:block; padding:0; } .NAVtable { margin:0.1em 0 0 2em; } .NAVtable td { font-size:110%; font-weight:bold; padding:0; margin:0; } .NAVtable a { padding:0 0.5em 0 0.5em; text-decoration:none; } .IDXcols1 { width:80%; max-width:80%; } .IDXcols2 { column-count:2; width:90%; max-width:90%; } .IDXcols3 { column-count:3; width:95%; max-width:95%; } .IDXcols4 { column-count:4; width:100%; max-width:100%; } .IDXtable { margin:1em 0 1em 2em; white-space:nowrap; break-inside:auto; } .IDXtable tr { vertical-align:top; text-align:left; break-inside:avoid; break-after:auto; } .IDXtable .alpha { font-weight:bold; min-width:2em; } .IDXtable .text { width:100%; white-space:normal; } .IDXtable .para:before { content:'\00b6\00a0'; } /* see "recalcitrant" above */ .IDXcols2 table, .IDXcols2 tbody, .IDXcols2 tr, .IDXcols3 table, .IDXcols3 tbody, .IDXcols3 tr, .IDXcols4 table, .IDXcols4 tbody, .IDXcols4 tr { display:block; padding:0; } .insight { background-color:cyan; font-family:monospace; padding:0 0.2em 0 0.2em; margin:0 0.2em 0 0.2em; font-size:100%; font-style:normal; font-weight:normal; text-decoration:none; } .wasdoc { font-family: "Lucida Console", Monaco, monospace; letter-spacing:-0.07em; } @media screen { .blank::after { content:"\2924"; } .print { display:none; } } @media print { table { page-break-inside:avoid; } .noprint { display:none; } .page { border:none; page-break-after: always; } .epage { display:none; } .ppage { page-break-after:always; } .NAVtable { display:none; } .NAVprint { display:block!important; } } @page { margin:2cm 1cm 2cm 1cm; } </style> <!-- source:0000_features.WASDOC --> <style type="text/css">._smiley::after { font-size:150%; vertical-align:middle; content:'\263a' }</style> <style type="text/css">._frowny::after { font-size:150%; vertical-align:middle; content:'\2639' }</style> <style type="text/css">._button { border: 1px gray solid; border-radius:3px; padding:0.1em; margin:0.1em; font-size:90%; }</style> <a id="0." href="#"></a> <a id="0.0.0.0.1" href="#"></a> <a id="0.wasdfeaturesandfacilities" href="#"></a> <a id="wasdfeaturesandfacilities" href="#"></a> <h1 class="head" style="font-size:140%;"><span class="text">WASD Features and Facilities</span></h1> <p> For version 12.0 release of WASD VMS Web Services. <p> Published November 2021 <p> Document generated using <span class="high wasdoc">wasDOC</span> version 2.0.0 <a id="0.0.0.0.2" href="#"></a> <a id="0.abstract" href="#"></a> <a id="abstract" href="#"></a> <h5 class="head"><span class="text">Abstract</span></h5> <p> This document describes the more significant features and facilities available with the WASD Web Services package. <p> For installation and update details see <a class="link blank" target="_blank" href="../features/">WASD Web Services - Installation</a> <p> For detailed configuration information see <a class="link blank" target="_blank" href="../config/">WASD Web Services - Configuration</a> <p> For information on CGI, CGIplus, ISAPI, OSU, etc., scripting, see <a class="link blank" target="_blank" href="../scripting/">WASD Web Services - Scripting</a> <p> And for a description of WASD Web document, SSI and directory listing behaviours and options, <a class="link blank" target="_blank" href="../env/">WASD Web Services - Environment</a> <a id="0.0.0.0.3" href="#"></a> <a id="0.onlinesearch" href="#"></a> <a id="onlinesearch" href="#"></a> <h5 class="head"><span class="text">Online Search</span></h5> <p> <table class="tabl noindent" style="border:1px #808080 solid;background-color:#eeeeee;margin-bottom:1.5em;"> <tr class="tabr"> <td class="tabd" style="padding:0.5em;"><form action="/cgi-bin/query/wasd_root/wasdoc/features/*.html" target="_top"> <input type="submit" value="Search for:"> <input type="text" name="search" size="20"> <input type="reset" value="Reset"> </form> </table> <p> <span class="high bold">WASD VMS Web Services – Copyright © 1996-2021 Mark G. Daniel</span> <a id="0.0.0.0.3.1" href="#"></a> <a id="0.apachelicenseversion20" href="#"></a> <a id="apachelicenseversion20" href="#"></a> <h6 class="head display0"><span class="text">Apache License, Version 2.0</span></h6> <a id="0.0.0.0.3.2" href="#"></a> <a id="0.license" href="#"></a> <a id="license" href="#"></a> <h6 class="head display0"><span class="text">License</span></h6> <p> Licensed under the <span class="high bold">Apache License</span>, Version 2.0 (the "License"); <div class="blockof quote" style="font-size:0.9em;width:49em;margin:-0.5em 0 0 1em;">you may not use this software except in compliance with the License. You may obtain a copy of the License at <p> <a class="link blank" target="_blank" style="margin-left:1em;" href="https://www.apache.org/licenses/LICENSE-2.0">https://www.apache.org/licenses/LICENSE-2.0</a> <p> Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. </div> <p> <a class="link" href="mailto:Mark.Daniel@wasd.vsm.com.au">Mark.Daniel@wasd.vsm.com.au</a> <br> <span class="high bold italic">A pox on the houses of all spamers. Make that two poxes.</span> <p> All copyright and trademarks within this document belong to their rightful owners. See <a class="link" href="#15.attributionandacknowledgement">15. Attribution and Acknowledgement</a>. <p> This is a static (file), single document. <br> Alternative <a class="link" href="/wasd_root/wasdoc/features/features.html">multi-part</a> static and <a class="link" href="/cgi-bin/wasdoc/wasd_root/wasdoc/features/">dynamic</a> documents. <br> Links followed by ⤤ open in a new page. <a id="0.0.0.0.4.2" href="#"></a> <a id="0.tableofcontent" href="#"></a> <a id="tableofcontent" href="#"></a> <h1 class="head" style="font-size:120%;"><span class="text">Table of Content</span></h1> <div class="TOC1cols2"> <table class="TOC1table"> <tr><td class="sepr"><a href="#1.introduction">1.</a>…………………<td class="text majr"><a href="#1.introduction">Introduction</a> <tr><td class="sepr"><a href="#1.1.troubleshooting">1.1</a>…………………<td class="text"><a href="#1.1.troubleshooting">Troubleshooting?</a> <tr><td class="sepr"><a href="#2.packageoverview">2.</a>…………………<td class="text majr"><a href="#2.packageoverview">Package Overview</a> <tr><td class="sepr"><a href="#2.1.serverbehaviour">2.1</a>…………………<td class="text"><a href="#2.1.serverbehaviour">Server Behaviour</a> <tr><td class="sepr"><a href="#2.2.vmsversions">2.2</a>…………………<td class="text"><a href="#2.2.vmsversions">VMS Versions</a> <tr><td class="sepr"><a href="#2.3.tcpippackages">2.3</a>…………………<td class="text"><a href="#2.3.tcpippackages">TCP/IP Packages</a> <tr><td class="sepr"><a href="#2.4.internationalfeatures">2.4</a>…………………<td class="text"><a href="#2.4.internationalfeatures">International Features</a> <tr><td class="sepr"><a href="#3.authenticationandauthorization">3.</a>…………………<td class="text majr"><a href="#3.authenticationandauthorization">Authentication and Authorization</a> <tr><td class="sepr"><a href="#3.1.ruleinterpretation">3.1</a>…………………<td class="text"><a href="#3.1.ruleinterpretation">Rule Interpretation</a> <tr><td class="sepr"><a href="#3.2.authenticationpolicy">3.2</a>…………………<td class="text"><a href="#3.2.authenticationpolicy">Authentication Policy</a> <tr><td class="sepr"><a href="#3.3.permissionspathanduser">3.3</a>…………………<td class="text"><a href="#3.3.permissionspathanduser">Permissions, Path and User</a> <tr><td class="sepr"><a href="#3.4.authorizationconfigurationfile">3.4</a>…………………<td class="text"><a href="#3.4.authorizationconfigurationfile">Authorization Configuration File</a> <tr><td class="sepr"><a href="#3.5.authenticationsources">3.5</a>…………………<td class="text"><a href="#3.5.authenticationsources">Authentication Sources</a> <tr><td class="sepr"><a href="#3.6.realmfullaccessreadonly">3.6</a>…………………<td class="text"><a href="#3.6.realmfullaccessreadonly">Realm, Full-Access, Read-Only</a> <tr><td class="sepr"><a href="#3.7.virtualservers">3.7</a>…………………<td class="text"><a href="#3.7.virtualservers">Virtual Servers</a> <tr><td class="sepr"><a href="#3.8.authorizationconfigurationexamples">3.8</a>…………………<td class="text"><a href="#3.8.authorizationconfigurationexamples">Authorization Configuration Examples</a> <tr><td class="sepr"><a href="#3.8.1.kiss">3.8.1</a>…………………<td class="text"><a href="#3.8.1.kiss">KISS</a> <tr><td class="sepr"><a href="#3.9.authorizationcache">3.9</a>…………………<td class="text"><a href="#3.9.authorizationcache">Authorization Cache</a> <tr><td class="sepr"><a href="#3.10.sysuafauthenticatedusers">3.10</a>…………………<td class="text"><a href="#3.10.sysuafauthenticatedusers">SYSUAF-Authenticated Users</a> <tr><td class="sepr"><a href="#3.10.1.acme">3.10.1</a>…………………<td class="text"><a href="#3.10.1.acme">ACME</a> <tr><td class="sepr"><a href="#3.10.2.logontype">3.10.2</a>…………………<td class="text"><a href="#3.10.2.logontype">Logon Type</a> <tr><td class="sepr"><a href="#3.10.3.rightsidentifiers">3.10.3</a>…………………<td class="text"><a href="#3.10.3.rightsidentifiers">Rights Identifiers</a> <tr><td class="sepr"><a href="#3.10.4.wasdquothardwiredquotidentifiers">3.10.4</a>…………………<td class="text"><a href="#3.10.4.wasdquothardwiredquotidentifiers">WASD "Hard-Wired" Identifiers</a> <tr><td class="sepr"><a href="#3.10.5.vmsaccountproxying">3.10.5</a>…………………<td class="text"><a href="#3.10.5.vmsaccountproxying">VMS Account Proxying</a> <tr><td class="sepr"><a href="#3.10.6.nilaccessvmsaccounts">3.10.6</a>…………………<td class="text"><a href="#3.10.6.nilaccessvmsaccounts">Nil-Access VMS Accounts</a> <tr><td class="sepr"><a href="#3.10.7.sysuafandssl">3.10.7</a>…………………<td class="text"><a href="#3.10.7.sysuafandssl">SYSUAF and SSL</a> <tr><td class="sepr"><a href="#3.10.8.sysuafsecurityprofile">3.10.8</a>…………………<td class="text"><a href="#3.10.8.sysuafsecurityprofile">SYSUAF Security Profile</a> <tr><td class="sepr"><a href="#3.10.9.sysuafprofileforfullsiteaccess">3.10.9</a>…………………<td class="text"><a href="#3.10.9.sysuafprofileforfullsiteaccess">SYSUAF Profile For Full Site Access</a> <tr><td class="sepr"><a href="#3.11.tokenauthentication">3.11</a>…………………<td class="text"><a href="#3.11.tokenauthentication">Token Authentication</a> <tr><td class="sepr"><a href="#3.12.skeletonkeyauthentication">3.12</a>…………………<td class="text"><a href="#3.12.skeletonkeyauthentication">Skeleton-Key Authentication</a> <tr><td class="sepr"><a href="#3.13.controllingserverwriteaccess">3.13</a>…………………<td class="text"><a href="#3.13.controllingserverwriteaccess">Controlling Server Write Access</a> <tr><td class="sepr"><a href="#3.14.securingallrequests">3.14</a>…………………<td class="text"><a href="#3.14.securingallrequests">Securing All Requests</a> <tr><td class="sepr"><a href="#3.15.userpasswordmodification">3.15</a>…………………<td class="text"><a href="#3.15.userpasswordmodification">User Password Modification</a> <tr><td class="sepr"><a href="#3.16.cancellingauthorization">3.16</a>…………………<td class="text"><a href="#3.16.cancellingauthorization">Cancelling Authorization</a> <tr><td class="sepr"><a href="#4.transportlayersecurity">4.</a>…………………<td class="text majr"><a href="#4.transportlayersecurity">Transport Layer Security</a> <tr><td class="sepr"><a href="#4.1.letsencrypt">4.1</a>…………………<td class="text"><a href="#4.1.letsencrypt">Let's Encrypt</a> <tr><td class="sepr"><a href="#4.2.tlssslfunctionalitysources">4.2</a>…………………<td class="text"><a href="#4.2.tlssslfunctionalitysources">TLS/SSL Functionality Sources</a> <tr><td class="sepr"><a href="#4.3.wasdsslquickstart">4.3</a>…………………<td class="text"><a href="#4.3.wasdsslquickstart">WASD SSL Quick-Start</a> <tr><td class="sepr"><a href="#4.4.opensslexeapplication">4.4</a>…………………<td class="text"><a href="#4.4.opensslexeapplication">OPENSSL.EXE Application</a> <tr><td class="sepr"><a href="#4.5.sslconfiguration">4.5</a>…………………<td class="text"><a href="#4.5.sslconfiguration">SSL Configuration</a> <tr><td class="sepr"><a href="#4.5.1.wasdconfigservice">4.5.1</a>…………………<td class="text"><a href="#4.5.1.wasdconfigservice">WASD_CONFIG_SERVICE</a> <tr><td class="sepr"><a href="#4.5.2.tlssslversions">4.5.2</a>…………………<td class="text"><a href="#4.5.2.tlssslversions">TLS/SSL Versions</a> <tr><td class="sepr"><a href="#4.5.3.sslciphers">4.5.3</a>…………………<td class="text"><a href="#4.5.3.sslciphers">SSL Ciphers</a> <tr><td class="sepr"><a href="#4.5.4.openssloptions">4.5.4</a>…………………<td class="text"><a href="#4.5.4.openssloptions">(Open)SSL Options</a> <tr><td class="sepr"><a href="#4.5.5.forwardsecrecy">4.5.5</a>…………………<td class="text"><a href="#4.5.5.forwardsecrecy">Forward Secrecy</a> <tr><td class="sepr"><a href="#4.5.6.sessionresumption">4.5.6</a>…………………<td class="text"><a href="#4.5.6.sessionresumption">Session Resumption</a> <tr><td class="sepr"><a href="#4.5.7.stricttransportsecurity">4.5.7</a>…………………<td class="text"><a href="#4.5.7.stricttransportsecurity">Strict Transport Security</a> <tr><td class="sepr"><a href="#4.5.8.sslservercertificate">4.5.8</a>…………………<td class="text"><a href="#4.5.8.sslservercertificate">SSL Server Certificate</a> <tr><td class="sepr"><a href="#4.5.9.sslprivatekey">4.5.9</a>…………………<td class="text"><a href="#4.5.9.sslprivatekey">SSL Private Key</a> <tr><td class="sepr"><a href="#4.5.10.sslvirtualservices">4.5.10</a>…………………<td class="text"><a href="#4.5.10.sslvirtualservices">SSL Virtual Services</a> <tr><td class="sepr"><a href="#4.5.11.sslaccesscontrol">4.5.11</a>…………………<td class="text"><a href="#4.5.11.sslaccesscontrol">SSL Access Control</a> <tr><td class="sepr"><a href="#4.5.12.authorizationusingx509certification">4.5.12</a>…………………<td class="text"><a href="#4.5.12.authorizationusingx509certification">Authorization Using X.509 Certification</a> <tr><td class="sepr"><a href="#4.5.13.x509certificaterenegotiation">4.5.13</a>…………………<td class="text"><a href="#4.5.13.x509certificaterenegotiation">X.509 Certificate Renegotiation</a> <tr><td class="sepr"><a href="#4.5.14.features">4.5.14</a>…………………<td class="text"><a href="#4.5.14.features">Features</a> <tr><td class="sepr"><a href="#4.5.15.subjectalternativenameandotherextensions">4.5.15</a>…………………<td class="text"><a href="#4.5.15.subjectalternativenameandotherextensions">Subject Alternative Name and Other Extensions</a> <tr><td class="sepr"><a href="#4.5.16.x509configuration">4.5.16</a>…………………<td class="text"><a href="#4.5.16.x509configuration">X509 Configuration</a> <tr><td class="sepr"><a href="#4.5.17.certificateauthorityverificationfile">4.5.17</a>…………………<td class="text"><a href="#4.5.17.certificateauthorityverificationfile">Certificate Authority Verification File</a> <tr><td class="sepr"><a href="#4.5.18.x509authorizationcgivariables">4.5.18</a>…………………<td class="text"><a href="#4.5.18.x509authorizationcgivariables">X.509 Authorization CGI Variables</a> <tr><td class="sepr"><a href="#4.6.certificatemanagement">4.6</a>…………………<td class="text"><a href="#4.6.certificatemanagement">Certificate Management</a> <tr><td class="sepr"><a href="#4.6.1.servercertificate">4.6.1</a>…………………<td class="text"><a href="#4.6.1.servercertificate">Server Certificate</a> <tr><td class="sepr"><a href="#4.6.2.certificatesigningrequest">4.6.2</a>…………………<td class="text"><a href="#4.6.2.certificatesigningrequest">Certificate Signing Request</a> <tr><td class="sepr"><a href="#4.7.sslcgivariables">4.7</a>…………………<td class="text"><a href="#4.7.sslcgivariables">SSL CGI Variables</a> <tr><td class="sepr"><a href="#4.8.sslserviceevaluation">4.8</a>…………………<td class="text"><a href="#4.8.sslserviceevaluation">SSL Service Evaluation</a> <tr><td class="sepr"><a href="#4.9.sslreferences">4.9</a>…………………<td class="text"><a href="#4.9.sslreferences">SSL References</a> <tr><td class="sepr"><a href="#5.http2">5.</a>…………………<td class="text majr"><a href="#5.http2">HTTP/2</a> <tr><td class="sepr"><a href="#5.1.wasdhttp2">5.1</a>…………………<td class="text"><a href="#5.1.wasdhttp2">WASD HTTP/2</a> <tr><td class="sepr"><a href="#5.2.http2andperformance">5.2</a>…………………<td class="text"><a href="#5.2.http2andperformance">HTTP/2 and Performance</a> <tr><td class="sepr"><a href="#5.3.http2configuration">5.3</a>…………………<td class="text"><a href="#5.3.http2configuration">HTTP/2 Configuration</a> <tr><td class="sepr"><a href="#5.3.1.globalconfiguration">5.3.1</a>…………………<td class="text"><a href="#5.3.1.globalconfiguration">Global Configuration</a> <tr><td class="sepr"><a href="#5.3.2.serviceconfiguration">5.3.2</a>…………………<td class="text"><a href="#5.3.2.serviceconfiguration">Service Configuration</a> <tr><td class="sepr"><a href="#5.3.3.http2setrules">5.3.3</a>…………………<td class="text"><a href="#5.3.3.http2setrules">HTTP/2 Set Rules</a> <tr><td class="sepr"><a href="#5.4.http2detection">5.4</a>…………………<td class="text"><a href="#5.4.http2detection">HTTP/2 Detection</a> <tr><td class="sepr"><a href="#5.5.http2references">5.5</a>…………………<td class="text"><a href="#5.5.http2references">HTTP/2 References</a> <tr><td class="sepr"><a href="#6.webdav">6.</a>…………………<td class="text majr"><a href="#6.webdav">WebDAV</a> <tr><td class="sepr"><a href="#6.1.httpmethodssupported">6.1</a>…………………<td class="text"><a href="#6.1.httpmethodssupported">HTTP Methods Supported</a> <tr><td class="sepr"><a href="#6.1.1.copyrestrictions">6.1.1</a>…………………<td class="text"><a href="#6.1.1.copyrestrictions">COPY Restrictions</a> <tr><td class="sepr"><a href="#6.1.2.deleterestrictions">6.1.2</a>…………………<td class="text"><a href="#6.1.2.deleterestrictions">DELETE Restrictions</a> <tr><td class="sepr"><a href="#6.1.3.moverestrictions">6.1.3</a>…………………<td class="text"><a href="#6.1.3.moverestrictions">MOVE Restrictions</a> <tr><td class="sepr"><a href="#6.1.4.ifrestrictions">6.1.4</a>…………………<td class="text"><a href="#6.1.4.ifrestrictions">If: Restrictions</a> <tr><td class="sepr"><a href="#6.2.webdavconfiguration">6.2</a>…………………<td class="text"><a href="#6.2.webdavconfiguration">WebDAV Configuration</a> <tr><td class="sepr"><a href="#6.2.1.webdavsetrules">6.2.1</a>…………………<td class="text"><a href="#6.2.1.webdavsetrules">WebDAV Set Rules</a> <tr><td class="sepr"><a href="#6.2.2.filenaming">6.2.2</a>…………………<td class="text"><a href="#6.2.2.filenaming">File Naming</a> <tr><td class="sepr"><a href="#6.2.3.filesystemaccess">6.2.3</a>…………………<td class="text"><a href="#6.2.3.filesystemaccess">File-system Access</a> <tr><td class="sepr"><a href="#6.2.4.filesystemauthorisation">6.2.4</a>…………………<td class="text"><a href="#6.2.4.filesystemauthorisation">File-system Authorisation</a> <tr><td class="sepr"><a href="#6.2.5.concurrentauthorisation">6.2.5</a>…………………<td class="text"><a href="#6.2.5.concurrentauthorisation">Concurrent Authorisation</a> <tr><td class="sepr"><a href="#6.2.6.realworldexample">6.2.6</a>…………………<td class="text"><a href="#6.2.6.realworldexample">Real-World Example</a> <tr><td class="sepr"><a href="#6.3.webdavmetadata">6.3</a>…………………<td class="text"><a href="#6.3.webdavmetadata">WebDAV Metadata</a> <tr><td class="sepr"><a href="#6.4.webdavlocking">6.4</a>…………………<td class="text"><a href="#6.4.webdavlocking">WebDAV Locking</a> <tr><td class="sepr"><a href="#6.5.somewrinkles">6.5</a>…………………<td class="text"><a href="#6.5.somewrinkles">Some Wrinkles</a> <tr><td class="sepr"><a href="#6.5.1.osxfinder">6.5.1</a>…………………<td class="text"><a href="#6.5.1.osxfinder">OS X Finder</a> <tr><td class="sepr"><a href="#6.5.2.gnomegvfsnautilus">6.5.2</a>…………………<td class="text"><a href="#6.5.2.gnomegvfsnautilus">Gnome/gvfs/Nautilus</a> <tr><td class="sepr"><a href="#6.5.3.dreamweaver">6.5.3</a>…………………<td class="text"><a href="#6.5.3.dreamweaver">Dreamweaver</a> <tr><td class="sepr"><a href="#6.6.microsoftmiscellanea">6.6</a>…………………<td class="text"><a href="#6.6.microsoftmiscellanea">Microsoft Miscellanea</a> <tr><td class="sepr"><a href="#6.6.1.mapping">6.6.1</a>…………………<td class="text"><a href="#6.6.1.mapping">Mapping</a> <tr><td class="sepr"><a href="#6.6.2.frontpageextensions">6.6.2</a>…………………<td class="text"><a href="#6.6.2.frontpageextensions">FrontPage Extensions</a> <tr><td class="sepr"><a href="#6.6.3.avoidingmicrosoftpropertyclutter">6.6.3</a>…………………<td class="text"><a href="#6.6.3.avoidingmicrosoftpropertyclutter">Avoiding Microsoft Property Clutter</a> <tr><td class="sepr"><a href="#6.6.4.optionsheaderquotmsauthorviadavquot">6.6.4</a>…………………<td class="text"><a href="#6.6.4.optionsheaderquotmsauthorviadavquot">OPTIONS header "MS-Author-Via: DAV"</a> <tr><td class="sepr"><a href="#6.6.5.repairingbrokenxpwebfolders">6.6.5</a>…………………<td class="text"><a href="#6.6.5.repairingbrokenxpwebfolders">Repairing broken XP Web Folders</a> <tr><td class="sepr"><a href="#6.6.6.addingaportnumbertothewebfolderaddress">6.6.6</a>…………………<td class="text"><a href="#6.6.6.addingaportnumbertothewebfolderaddress">Adding a port number to the webfolder-address</a> <tr><td class="sepr"><a href="#6.6.7.addinganumbersignquotquottothewebfolderaddress">6.6.7</a>…………………<td class="text"><a href="#6.6.7.addinganumbersignquotquottothewebfolderaddress">Adding a number-sign ("#") to the webfolder-address</a> <tr><td class="sepr"><a href="#6.6.8.forcewindowsxptousebasicauthentication">6.6.8</a>…………………<td class="text"><a href="#6.6.8.forcewindowsxptousebasicauthentication">Force Windows XP to use Basic Authentication</a> <tr><td class="sepr"><a href="#6.6.9.microsoftxpexplorerbasicauthentication">6.6.9</a>…………………<td class="text"><a href="#6.6.9.microsoftxpexplorerbasicauthentication">Microsoft XP Explorer BASIC Authentication</a> <tr><td class="sepr"><a href="#6.6.10.microsoftwindows7basicauthentication">6.6.10</a>…………………<td class="text"><a href="#6.6.10.microsoftwindows7basicauthentication">Microsoft Windows 7 BASIC Authentication</a> <tr><td class="sepr"><a href="#6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved">6.6.11</a>…………………<td class="text"><a href="#6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved">Error 0x800700DF: The file size exceeds the limit allowed and cannot be saved</a> <tr><td class="sepr"><a href="#6.7.references">6.7</a>…………………<td class="text"><a href="#6.7.references">References</a> <tr><td class="sepr"><a href="#7.proxyservices">7.</a>…………………<td class="text majr"><a href="#7.proxyservices">Proxy Services</a> <tr><td class="sepr"><a href="#7.1.httpproxyserving">7.1</a>…………………<td class="text"><a href="#7.1.httpproxyserving">HTTP Proxy Serving</a> <tr><td class="sepr"><a href="#7.1.1.enablingaproxyservice">7.1.1</a>…………………<td class="text"><a href="#7.1.1.enablingaproxyservice">Enabling A Proxy Service</a> <tr><td class="sepr"><a href="#7.1.2.proxyaffinity">7.1.2</a>…………………<td class="text"><a href="#7.1.2.proxyaffinity">Proxy Affinity</a> <tr><td class="sepr"><a href="#7.1.3.proxybind">7.1.3</a>…………………<td class="text"><a href="#7.1.3.proxybind">Proxy Bind</a> <tr><td class="sepr"><a href="#7.1.4.proxychaining">7.1.4</a>…………………<td class="text"><a href="#7.1.4.proxychaining">Proxy Chaining</a> <tr><td class="sepr"><a href="#7.1.5.controllingproxyserving">7.1.5</a>…………………<td class="text"><a href="#7.1.5.controllingproxyserving">Controlling Proxy Serving</a> <tr><td class="sepr"><a href="#7.2.proxycache">7.2</a>…………………<td class="text"><a href="#7.2.proxycache">Proxy Cache</a> <tr><td class="sepr"><a href="#7.3.connectserving">7.3</a>…………………<td class="text"><a href="#7.3.connectserving">CONNECT Serving</a> <tr><td class="sepr"><a href="#7.3.1.enablingconnectserving">7.3.1</a>…………………<td class="text"><a href="#7.3.1.enablingconnectserving">Enabling CONNECT Serving</a> <tr><td class="sepr"><a href="#7.3.2.controllingconnectserving">7.3.2</a>…………………<td class="text"><a href="#7.3.2.controllingconnectserving">Controlling CONNECT Serving</a> <tr><td class="sepr"><a href="#7.4.socksversion5">7.4</a>…………………<td class="text"><a href="#7.4.socksversion5">SOCKS Version 5</a> <tr><td class="sepr"><a href="#7.5.ftpproxyserving">7.5</a>…………………<td class="text"><a href="#7.5.ftpproxyserving">FTP Proxy Serving</a> <tr><td class="sepr"><a href="#7.5.1.ftpquerystringkeywords">7.5.1</a>…………………<td class="text"><a href="#7.5.1.ftpquerystringkeywords">FTP Query String Keywords</a> <tr><td class="sepr"><a href="#7.5.2.quotloginquotkeyword">7.5.2</a>…………………<td class="text"><a href="#7.5.2.quotloginquotkeyword">"login" Keyword</a> <tr><td class="sepr"><a href="#7.6.gatewayingusingproxy">7.6</a>…………………<td class="text"><a href="#7.6.gatewayingusingproxy">Gatewaying Using Proxy</a> <tr><td class="sepr"><a href="#7.6.1.reverseproxy">7.6.1</a>…………………<td class="text"><a href="#7.6.1.reverseproxy">Reverse Proxy</a> <tr><td class="sepr"><a href="#7.6.2.proxyrework">7.6.2</a>…………………<td class="text"><a href="#7.6.2.proxyrework">Proxy Rework</a> <tr><td class="sepr"><a href="#7.6.3.oneshotproxy">7.6.3</a>…………………<td class="text"><a href="#7.6.3.oneshotproxy">One-Shot Proxy</a> <tr><td class="sepr"><a href="#7.6.4.dnswildcardproxy">7.6.4</a>…………………<td class="text"><a href="#7.6.4.dnswildcardproxy">DNS Wildcard Proxy</a> <tr><td class="sepr"><a href="#7.6.5.originatingssl">7.6.5</a>…………………<td class="text"><a href="#7.6.5.originatingssl">Originating SSL</a> <tr><td class="sepr"><a href="#7.7.tunnelingusingproxy">7.7</a>…………………<td class="text"><a href="#7.7.tunnelingusingproxy">Tunneling Using Proxy</a> <tr><td class="sepr"><a href="#7.7.1.serviceproxytunnelconnect">7.7.1</a>…………………<td class="text"><a href="#7.7.1.serviceproxytunnelconnect">[ServiceProxyTunnel] CONNECT</a> <tr><td class="sepr"><a href="#7.7.2.serviceproxytunnelraw">7.7.2</a>…………………<td class="text"><a href="#7.7.2.serviceproxytunnelraw">[ServiceProxyTunnel] RAW</a> <tr><td class="sepr"><a href="#7.7.3.serviceproxytunnelfirewall">7.7.3</a>…………………<td class="text"><a href="#7.7.3.serviceproxytunnelfirewall">[ServiceProxyTunnel] FIREWALL</a> <tr><td class="sepr"><a href="#7.7.4.encryptedtunnel">7.7.4</a>…………………<td class="text"><a href="#7.7.4.encryptedtunnel">Encrypted Tunnel</a> <tr><td class="sepr"><a href="#7.7.5.encryptedtunnelwithauthentication">7.7.5</a>…………………<td class="text"><a href="#7.7.5.encryptedtunnelwithauthentication">Encrypted Tunnel With Authentication</a> <tr><td class="sepr"><a href="#7.7.6.sharedsshtunnel">7.7.6</a>…………………<td class="text"><a href="#7.7.6.sharedsshtunnel">Shared SSH Tunnel</a> <tr><td class="sepr"><a href="#7.7.7.complexprivatetunneling">7.7.7</a>…………………<td class="text"><a href="#7.7.7.complexprivatetunneling">Complex Private Tunneling</a> <tr><td class="sepr"><a href="#7.7.8.tunnellingsource">7.7.8</a>…………………<td class="text"><a href="#7.7.8.tunnellingsource">Tunnelling Source</a> <tr><td class="sepr"><a href="#7.8.browserproxyconfiguration">7.8</a>…………………<td class="text"><a href="#7.8.browserproxyconfiguration">Browser Proxy Configuration</a> <tr><td class="sepr"><a href="#7.8.1.manual">7.8.1</a>…………………<td class="text"><a href="#7.8.1.manual">Manual</a> <tr><td class="sepr"><a href="#7.8.2.automatic">7.8.2</a>…………………<td class="text"><a href="#7.8.2.automatic">Automatic</a> <tr><td class="sepr"><a href="#8.instancesandenvironments">8.</a>…………………<td class="text majr"><a href="#8.instancesandenvironments">Instances and Environments</a> <tr><td class="sepr"><a href="#8.1.serverinstances">8.1</a>…………………<td class="text"><a href="#8.1.serverinstances">Server Instances</a> <tr><td class="sepr"><a href="#8.1.1.vmsclusteringcomparison">8.1.1</a>…………………<td class="text"><a href="#8.1.1.vmsclusteringcomparison">VMS Clustering Comparison</a> <tr><td class="sepr"><a href="#8.1.2.considerations">8.1.2</a>…………………<td class="text"><a href="#8.1.2.considerations">Considerations</a> <tr><td class="sepr"><a href="#8.1.3.configuration">8.1.3</a>…………………<td class="text"><a href="#8.1.3.configuration">Configuration</a> <tr><td class="sepr"><a href="#8.1.4.status">8.1.4</a>…………………<td class="text"><a href="#8.1.4.status">Status</a> <tr><td class="sepr"><a href="#8.2.serverenvironments">8.2</a>…………………<td class="text"><a href="#8.2.serverenvironments">Server Environments</a> <tr><td class="sepr"><a href="#9.serveradministration">9.</a>…………………<td class="text majr"><a href="#9.serveradministration">Server Administration</a> <tr><td class="sepr"><a href="#9.1.accessbeforeconfiguration">9.1</a>…………………<td class="text"><a href="#9.1.accessbeforeconfiguration">Access Before Configuration</a> <tr><td class="sepr"><a href="#9.2.accessconfiguration">9.2</a>…………………<td class="text"><a href="#9.2.accessconfiguration">Access Configuration</a> <tr><td class="sepr"><a href="#9.3.serverinstances">9.3</a>…………………<td class="text"><a href="#9.3.serverinstances">Server Instances</a> <tr><td class="sepr"><a href="#9.4.httpdserverreports">9.4</a>…………………<td class="text"><a href="#9.4.httpdserverreports">HTTPd Server Reports</a> <tr><td class="sepr"><a href="#9.5.httpdserverrevise">9.5</a>…………………<td class="text"><a href="#9.5.httpdserverrevise">HTTPd Server Revise</a> <tr><td class="sepr"><a href="#9.6.httpdserveraction">9.6</a>…………………<td class="text"><a href="#9.6.httpdserveraction">HTTPd Server Action</a> <tr><td class="sepr"><a href="#9.7.httpdcommandline">9.7</a>…………………<td class="text"><a href="#9.7.httpdcommandline">HTTPd Command Line</a> <tr><td class="sepr"><a href="#9.7.1.accounting">9.7.1</a>…………………<td class="text"><a href="#9.7.1.accounting">Accounting</a> <tr><td class="sepr"><a href="#9.7.2.alignmentfaults">9.7.2</a>…………………<td class="text"><a href="#9.7.2.alignmentfaults">Alignment Faults</a> <tr><td class="sepr"><a href="#9.7.3.authentication">9.7.3</a>…………………<td class="text"><a href="#9.7.3.authentication">Authentication</a> <tr><td class="sepr"><a href="#9.7.4.cache">9.7.4</a>…………………<td class="text"><a href="#9.7.4.cache">Cache</a> <tr><td class="sepr"><a href="#9.7.5.configurationcheck">9.7.5</a>…………………<td class="text"><a href="#9.7.5.configurationcheck">Configuration Check</a> <tr><td class="sepr"><a href="#9.7.6.dclscriptingprocesses">9.7.6</a>…………………<td class="text"><a href="#9.7.6.dclscriptingprocesses">DCL/Scripting Processes</a> <tr><td class="sepr"><a href="#9.7.7.decnetscriptingconnections">9.7.7</a>…………………<td class="text"><a href="#9.7.7.decnetscriptingconnections">DECnet Scripting Connections</a> <tr><td class="sepr"><a href="#9.7.8.hhelppp">9.7.8</a>…………………<td class="text"><a href="#9.7.8.hhelppp">Hhelppp!</a> <tr><td class="sepr"><a href="#9.7.9.http2connection">9.7.9</a>…………………<td class="text"><a href="#9.7.9.http2connection">HTTP/2 Connection</a> <tr><td class="sepr"><a href="#9.7.10.instances">9.7.10</a>…………………<td class="text"><a href="#9.7.10.instances">Instances</a> <tr><td class="sepr"><a href="#9.7.11.instancestatus">9.7.11</a>…………………<td class="text"><a href="#9.7.11.instancestatus">Instance Status</a> <tr><td class="sepr"><a href="#9.7.12.logging">9.7.12</a>…………………<td class="text"><a href="#9.7.12.logging">Logging</a> <tr><td class="sepr"><a href="#9.7.13.mapping">9.7.13</a>…………………<td class="text"><a href="#9.7.13.mapping">Mapping</a> <tr><td class="sepr"><a href="#9.7.14.networkconnection">9.7.14</a>…………………<td class="text"><a href="#9.7.14.networkconnection">Network Connection</a> <tr><td class="sepr"><a href="#9.7.15.shutdownandrestart">9.7.15</a>…………………<td class="text"><a href="#9.7.15.shutdownandrestart">Shutdown and Restart</a> <tr><td class="sepr"><a href="#9.7.16.securesocketslayer">9.7.16</a>…………………<td class="text"><a href="#9.7.16.securesocketslayer">Secure Sockets Layer</a> <tr><td class="sepr"><a href="#9.7.17.throttle">9.7.17</a>…………………<td class="text"><a href="#9.7.17.throttle">Throttle</a> <tr><td class="sepr"><a href="#9.7.18.websocket">9.7.18</a>…………………<td class="text"><a href="#9.7.18.websocket">WebSocket</a> <tr><td class="sepr"><a href="#10.watchfacility">10.</a>…………………<td class="text majr"><a href="#10.watchfacility">WATCH Facility</a> <tr><td class="sepr"><a href="#10.1.serverinstances">10.1</a>…………………<td class="text"><a href="#10.1.serverinstances">Server Instances</a> <tr><td class="sepr"><a href="#10.2.eventcategories">10.2</a>…………………<td class="text"><a href="#10.2.eventcategories">Event Categories</a> <tr><td class="sepr"><a href="#10.3.requestfiltering">10.3</a>…………………<td class="text"><a href="#10.3.requestfiltering">Request Filtering</a> <tr><td class="sepr"><a href="#10.4.reportformat">10.4</a>…………………<td class="text"><a href="#10.4.reportformat">Report Format</a> <tr><td class="sepr"><a href="#10.5.usagesuggestions">10.5</a>…………………<td class="text"><a href="#10.5.usagesuggestions">Usage Suggestions</a> <tr><td class="sepr"><a href="#10.6.commandlineuse">10.6</a>…………………<td class="text"><a href="#10.6.commandlineuse">Command-Line Use</a> <tr><td class="sepr"><a href="#11.serverperformance">11.</a>…………………<td class="text majr"><a href="#11.serverperformance">Server Performance</a> <tr><td class="sepr"><a href="#11.1.simplefilerequestturnaround">11.1</a>…………………<td class="text"><a href="#11.1.simplefilerequestturnaround">Simple File Request Turn-Around</a> <tr><td class="sepr"><a href="#11.2.scripting">11.2</a>…………………<td class="text"><a href="#11.2.scripting">Scripting</a> <tr><td class="sepr"><a href="#12.httpdwebupdate">12.</a>…………………<td class="text majr"><a href="#12.httpdwebupdate">HTTPd Web Update</a> <tr><td class="sepr"><a href="#13.utilitiesandfacilities">13.</a>…………………<td class="text majr"><a href="#13.utilitiesandfacilities">Utilities and Facilities</a> <tr><td class="sepr"><a href="#13.1.echofacility">13.1</a>…………………<td class="text"><a href="#13.1.echofacility">Echo Facility</a> <tr><td class="sepr"><a href="#13.2.hissfacility">13.2</a>…………………<td class="text"><a href="#13.2.hissfacility">Hiss Facility</a> <tr><td class="sepr"><a href="#13.3.streamfacility">13.3</a>…………………<td class="text"><a href="#13.3.streamfacility">Stream Facility</a> <tr><td class="sepr"><a href="#13.4.wherefacility">13.4</a>…………………<td class="text"><a href="#13.4.wherefacility">Where Facility</a> <tr><td class="sepr"><a href="#13.5.xrayfacility">13.5</a>…………………<td class="text"><a href="#13.5.xrayfacility">Xray Facility</a> <tr><td class="sepr"><a href="#13.6.calogs">13.6</a>…………………<td class="text"><a href="#13.6.calogs">CALogs</a> <tr><td class="sepr"><a href="#13.7.cspreporter">13.7</a>…………………<td class="text"><a href="#13.7.cspreporter">CSPreport[er]</a> <tr><td class="sepr"><a href="#13.8.htadmin">13.8</a>…………………<td class="text"><a href="#13.8.htadmin">HTAdmin</a> <tr><td class="sepr"><a href="#13.9.httpdmonitor">13.9</a>…………………<td class="text"><a href="#13.9.httpdmonitor">HTTPd Monitor</a> <tr><td class="sepr"><a href="#13.10.md5digest">13.10</a>…………………<td class="text"><a href="#13.10.md5digest">MD5digest</a> <tr><td class="sepr"><a href="#13.11.qdlogstats">13.11</a>…………………<td class="text"><a href="#13.11.qdlogstats">QDLogStats</a> <tr><td class="sepr"><a href="#13.12.sechanutility">13.12</a>…………………<td class="text"><a href="#13.12.sechanutility">SECHAN Utility</a> <tr><td class="sepr"><a href="#13.13.streamlfutility">13.13</a>…………………<td class="text"><a href="#13.13.streamlfutility">StreamLF Utility</a> <tr><td class="sepr"><a href="#13.14.wasteeutility">13.14</a>…………………<td class="text"><a href="#13.14.wasteeutility">WAStee Utility</a> <tr><td class="sepr"><a href="#13.15.wotsuputility">13.15</a>…………………<td class="text"><a href="#13.15.wotsuputility">WOTSUP Utility</a> <tr><td class="sepr"><a href="#14.index">14.</a>…………………<td class="text majr"><a href="#14.index">Index</a> <tr><td class="sepr"><a href="#15.attributionandacknowledgement">15.</a>…………………<td class="text majr"><a href="#15.attributionandacknowledgement">Attribution and Acknowledgement</a> </table> </div> <br> <!-- source:0100_INTRO.WASDOC --> <hr class="page"> <a id="1." href="#"></a> <a id="1.introduction" href="#"></a> <a id="introduction" href="#"></a> <h1 class="head"><span class="numb">1.</span><span class="text">Introduction</span></h1> <table class="TOC2table"> <tr><td><a href="#1.1.troubleshooting"><span class="numb">1.1</span><span class="text">Troubleshooting?</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#0.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#2.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> With the installation, update and detailed configuration of the WASD Web Services package provided in <a class="link blank" target="_blank" href="../config/">WASD Web Services - Install and Config</a> why have an introduction in this subsequent document? After getting the basics up and running (often the first thing we want to do) it's time to stop and consider the tool and what we're trying to accomplish with it. So this section provides an overview of the package's design philosophy, history and significant features and capabilities by topic. <p> The document <span class="high bold">assumes</span> a basic understanding of Web technologies and uses terms without explaining them (e.g. HTTP, HTML, URL, CGI, SSI, etc.) The reader is refered to documents specifically on these topics. <a id="1.0.0.0.1" href="#"></a> <a id="1.objectives" href="#"></a> <a id="objectives" href="#"></a> <h5 class="head"><span class="text">Objectives</span></h5> <p> WASD Web Services originated from a 1993 decision by Wide Area Surveillance Division (WASD) management (then High Frequency Radar Division, HFRD) to make as much information as possible, both administrative and research, available online to a burgeoning personal desktop workstation and PC environment (to use the current term … an <span class="high italic">intranet</span>) using the then emerging Web technologies. <p> It then became the objective of this author to make <span class="high italic">all</span> of our systems' VMS-related resources available via HTTP and HTML, regardless of the underlying data or storage format. An examination of the WASD package will show that this objective is substantially achieved. <a id="1.0.0.0.2" href="#"></a> <a id="1.reasonsforyetanotherwebpackage" href="#"></a> <a id="reasonsforyetanotherwebpackage" href="#"></a> <h5 class="head"><span class="text">Reasons For Yet Another Web Package</span></h5> <p> Reasons for developing (remember; back in 1994!) a local HTTP server were few but compelling: <ul class="list"> <li class="item"> It was prefered to support this environment on a VMS platform; at the time the most widely used and accessible environment within WASD. <li class="item"> At that time servers (and even then there were quite a few variations) were largely Unix based, although it was being supported (to a greater or lesses extent) across a wide range of platforms. Ports to VMS, if they existed, were often in-progress or half-baked, employing <span class="high italic">Unix</span>isms that don't translate elegantly to the VMS environment. <li class="item"> The VMS version of the CERN server (3.0-6) was evaluated during mid-1994: <ul class="list"> <li class="item"> It was (still is) not multi-threaded under VMS (i.e. cannot support concurrent clients). For example, a lengthy search may delay other clients for unacceptable periods. <li class="item"> The performance was good with document transfers, but became poor when running a <span class="high italic">script</span>. <li class="item"> It is acknowleged in the release notes that it cannot handle a client cancelling a data transfer (a not-uncommon action). This was confirmed experimentally. </ul> <li class="item"> An early version of the OSU server was evaluated via documentation mid-1994. The author considered that the DECthreads of the time to have limitations (including frequent, show-stopping bugs) and OSU had a number of implementation idiosyncracies (e.g. DECnet based scripting). <li class="item"> HTTP, in the then standard implementation (HTTP/1.0, RFC1945), was relatively simple to implement to the level required to support intra-Divisional requirements. <li class="item"> Since that time … <ul class="list"> <li class="item"> <span class="high bold">As of December 1995</span> the server has worked extremely well and has a number of facilities tailored for the VMS environment. It can continue to be utilized until there are overwhelming reasons for implementing something else. <li class="item"> <span class="high bold">June 1997</span> the server and associated software continues to evolve and provide a stable and effective VMS Web environment, even with the advent of a small number of commercial VMS Web products. <li class="item"> <span class="high bold">October 1999</span> the package is beginning to mature as an HTTP/1.0 solution, providing not only a fast and stable server but an increasingly extensive collection of applications and tools. <li class="item"> <span class="high bold">July 2002</span> it continues to be refined and extended. A greater emphasis on "commercial" functionality has occured over the past couple of years. <li class="item"> <span class="high bold">December 2004</span> it now complies with the HTTP/1.1 specification (RFC2616) and provides a very respectable range of functionality and the fastest and most efficient serving environment for VMS. <li class="item"> <span class="high bold">A decade on (2014)</span> it continues to be adopted by sites wanting fast, efficient, capable and often philosophically VMS infrastructure. WASD continues to be enhanced and bug-fixed <span class="high under">two decades</span> after its initial, tentative steps into the World-Wide information Web. <li class="item"> <span class="high bold">May 2016</span> brings HTTP/2 (RFC 7540, RFC 7541) to WASD. A replacement for how HTTP is expressed "on the wire", it is not a ground-up rewrite of the protocol; HTTP methods, status codes and semantics are the same. The focus of the protocol is on performance; specifically, end-user perceived latency, network and server resource usage. <li class="item"> <span class="high bold">June 2019</span> occasions WASD's twenty-fifth anniversary! <br> <span class="high bold">For a quarter-century and more – the only web environment implemented expressly for VMS</span>. <li class="item"> <span class="high bold">Late 2021</span> ta-da! WASD on x86-64 </ul> </ul> <a id="1.1" href="#"></a> <a id="1.1.troubleshooting" href="#"></a> <a id="troubleshooting" href="#"></a> <h2 class="head"><span class="numb">1.1</span><span class="text">Troubleshooting?</span></h2> <p> When initially installing or configuring WASD, and sometimes later where something breaks spectacularly, it is most useful to be able to gain insight into what the server is up to. <p> The <span class="high italic">go-to</span> tool is <span style="font-size:110%">WATCH</span> (yes, all capitals, and for no other reason than it makes it stand out). <p> WATCH is described in detail in <a class="link" href="#10.watchfacility">10. WATCH Facility</a> of this document. <p> For most circumstances WATCH can be made available for troubleshooting even if the configuration is significantly broken. This is done by using a skeleton-key to authorise special access into the server. <p> The skeleton-key is described in detail in <a class="link" href="#3.12.skeletonkeyauthentication">3.12 Skeleton-Key Authentication</a>, also in this document. <p> <span class="high bold">TL;DR</span> <p> Enable at the command-line with the username anything beginning with an underscore and at least 8 characters, same for the password length. <div class="blockof code">$ HTTPD /DO=AUTH=SKELKEY=_<span class="high italic">username</span>:<span class="high italic">password</span> </div> <p> Then using a browser access any available service, entering the above username (including underscore) and password when prompted. <div class="blockof block"><a class="link blank" target="_blank" href="/httpd/-/admin/report/WATCH">https://<i>the.host.name:port</i> /httpd/-/admin/report/WATCH</a> </div> <p> The service administration facilities (of which WATCH is one) are also available and useful. <div class="blockof block"><a class="link blank" target="_blank" href="/httpd/-/admin/">https://<i>the.host.name:port</i> /httpd/-/admin/</a> </div> <!-- source:0200_OVERVIEW.WASDOC --> <hr class="page"> <a id="2." href="#"></a> <a id="2.packageoverview" href="#"></a> <a id="packageoverview" href="#"></a> <h1 class="head"><span class="numb">2.</span><span class="text">Package Overview</span></h1> <table class="TOC2table"> <tr><td><a href="#2.1.serverbehaviour"><span class="numb">2.1</span><span class="text">Server Behaviour</span></a> <tr><td><a href="#2.2.vmsversions"><span class="numb">2.2</span><span class="text">VMS Versions</span></a> <tr><td><a href="#2.3.tcpippackages"><span class="numb">2.3</span><span class="text">TCP/IP Packages</span></a> <tr><td><a href="#2.4.internationalfeatures"><span class="numb">2.4</span><span class="text">International Features</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#1.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#3.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> The most fundamental component of the WASD VMS Web Services environment is the HTTP server (HyperText Transport Protocol Daemon, or HTTPd). WASD has a single-process, multi-threaded, asynchronous I/O design. <p> The following bullet-points summarise the features and facilities, many of which are described in significant detail in following chapters. <a id="2.0.0.0.1" href="#"></a> <a id="2.general" href="#"></a> <a id="general" href="#"></a> <h5 class="head"><span class="text">General</span></h5> <ul class="list list0"> <li class="item"> concurrent, multi-threaded client support <li class="item"> HTTP/2 compliant (RFC 7540, RFC 7541) <li class="item"> HTTP/1.1 compliant (RFC 2616, RFC 7230 and family) <li class="item"> HTTP/1.0 compliant (RFC 1954) <li class="item"> WebDAV 1,2 support (RFC 4918) <li class="item"> Cross-Origin Resource Sharing (CORS) <li class="item"> virtual services (servers) <li class="item"> IPv4 and IPv6 support (requires underlying TCP/IP support) <li class="item"> requests above a configurable limit can be queued ("throttling") <li class="item"> enhanced privacy using Transport Layer Security technology (TLS), aka. Secure Sockets Layer (SSL) including <p> <ul class="list list0"> <li class="item"> OpenSSL Toolkit <li class="item"> WASD OpenSSL <li class="item"> VSI SSL product </ul> <li class="item"> serves ODS-2 and ODS-5 (EFS) volumes, as well as file names encoded using schemas <p> <ul class="list list0"> <li class="item"> PATHWORKS 4/5 <li class="item"> Advanced Server (PATHWORKS 6) and <li class="item"> SRI (MultiNet NFS, etc.) </ul> <li class="item"> versatile directory listing (generic and VMS-style) <li class="item"> Server-Side Includes (SSI HTML pre-processing) <li class="item"> configurable cache, with time-based and forced revalidation (reload) <li class="item"> byte-range support with 206 partial responses (useful for PDF and restarting file download by modern browsers) <li class="item"> proxy serving, with local file-system caching, plus the CONNECT method (also allowing a number of esoteric SSL tunnelling configurations), along with FTP proxy <li class="item"> gatewaying between Web protocols (HTTP-to-SSL, SSL-to-HTTP, HTTP-to-FTP) <li class="item"> gatewaying between IP protocols (IPv4-to-IPv6, IPv6-to-IPv4) </ul> <a id="2.0.0.0.2" href="#"></a> <a id="2.scripting" href="#"></a> <a id="scripting" href="#"></a> <h5 class="head"><span class="text">Scripting</span></h5> <ul class="list list0"> <li class="item"> CGI 1.1 compliant scripting (RFC 3875) <li class="item"> non-server and user account scripting <li class="item"> "CGIplus" scripting (offering reduced latency, increased throughput and reduced system impact) <li class="item"> "Persistent" scripting, Run-Time Environments (RTEs) that provide for simple persistent scripting <li class="item"> WebSocket scripting environment; a capability introduced with HTML5, providing an asynchronous, bidirectional, full-duplex connection. <li class="item"> "RawSocket" scripting environment; providing an protocol-agnostic asynchronous, bidirectional, full-duplex connection. <li class="item"> "ISAPI" extensions/scripting (also offering reduced latency, increased throughput and reduced system impact) <li class="item"> DECnet-based CGI scripting (with connection reuse) <li class="item"> OSU (DECthreads server) scripting emulation, with connection reuse (as per OSU 3.3a), allowing many OSU scripts to be employed unmodified <li class="item"> script processor (e.g. PERL, PHP, Python) configurable on file type (suffix) <li class="item"> configurable, automatic, MIME content-type initiated scripting ("presentation" scripting) </ul> <a id="2.0.0.0.3" href="#"></a> <a id="2.accesscontrol" href="#"></a> <a id="accesscontrol" href="#"></a> <h5 class="head"><span class="text">Access Control</span></h5> <ul class="list list0"> <li class="item"> host-level, on per-host or per-domain <li class="item"> "Basic" and "Digest" user authentication and path/group-based authorization <li class="item"> WASD-specific user databases <li class="item"> SYSUAF-authentication and VMS user security profile based file access control <li class="item"> ACME service authentication (on applicable platforms) <li class="item"> X.509 client certificate authentication (for SSL transactions) <li class="item"> RFC 1413 (<span class="high italic">ident</span> daemon) "authentication" <li class="item"> Example LDAP authenticators </ul> <a id="2.0.0.0.4" href="#"></a> <a id="2.administration" href="#"></a> <a id="administration" href="#"></a> <h5 class="head"><span class="text">Administration</span></h5> <ul class="list list0"> <li class="item"> multiple <span class="high italic">instances</span> (server processes) executing on the one system allow continuous availability via rolling restarts and "fail-through" processing <li class="item"> "one-button" control of multiple <span class="high italic">instances</span> on both single systems and across clusters <li class="item"> online server configuration, including reports on requests, loaded configuration, mapping rules, authorization information and graphical activity displays <li class="item"> online, live server processing event report (WATCH) <li class="item"> Web-standard, "common" and "combined" access log formats (allowing processing by most log-analysis tools), along with a user-definition capability allowing custom log formats <li class="item"> logging periods, where log files automatically change on a daily, weekly or monthly basis (keeps log files ordered and at a managable size) <li class="item"> customizable message database (capable of supporting non-English and concurrent, multiple languages) </ul> <a id="2.1" href="#"></a> <a id="2.1.serverbehaviour" href="#"></a> <a id="serverbehaviour" href="#"></a> <h2 class="head"><span class="numb">2.1</span><span class="text">Server Behaviour</span></h2> <p> The technical aspects of server design and behaviour are described in <a class="link blank" target="_blank" href="/wasd_root/src/httpd/readmore.txt">WASD_ROOT:[SRC.HTTPD]READMORE.TXT</a> <a id="2.2" href="#"></a> <a id="2.2.vmsversions" href="#"></a> <a id="vmsversions" href="#"></a> <h2 class="head"><span class="numb">2.2</span><span class="text">VMS Versions</span></h2> <p> The WASD server is supported on any VMS version from V7.0 upwards, on Alpha, Itanium and x86-64 architectures. The current version (as of 2021), V8.4 Alpha and Itanium, as is commonly the case on VMS platforms, required nothing more than relinking. Obviously no guarantees can be made for yet-to-be-released versions but at a worst-case these should only require the same. <p> The WASD distribution and package organisation fully supports mixed-architecture clusters (Alpha, Itanium and/or x86-64 in the one cluster) as one integrated installation. <a id="2.3" href="#"></a> <a id="2.3.tcpippackages" href="#"></a> <a id="tcpippackages" href="#"></a> <h2 class="head"><span class="numb">2.3</span><span class="text">TCP/IP Packages</span></h2> <p> The WASD server uses the TCP/IP Services (UCX) BG $QIO interface. The following packages support this interface and may be used. <ul class="list list0"> <li class="item"> VSI TCP/IP Services for OpenVMS (VMS Software Inc.) <li class="item"> TCP/IP Services for OpenVMS (Hewlett Packard <span class="high italic">whatever</span>) ** <li class="item"> Digital TCP/IP Services for OpenVMS (aka UCX) *** <li class="item"> MultiNet for OpenVMS (Process Software Corporation) ** <p> ** any <span class="high bold">not unreasonably ancient</span> version <br>*** <span class="high italic">this might be becoming a bit of a stretch</span> </ul> <p> To deploy IPv6 services this package must support IPv6. <a id="2.4" href="#"></a> <a id="2.4.internationalfeatures" href="#"></a> <a id="internationalfeatures" href="#"></a> <h2 class="head"><span class="numb">2.4</span><span class="text">International Features</span></h2> <p> WASD provides a number of features that assist in the support of non-English and multi-language sites. These "international" features only apply to the server, not necessarily to any scripts! <ul class="list"> <li class="item"> <span class="high bold">Language Variants</span> <p> A directory may contain language-specific variants of a basic document. When requesting the basic document name these variants are automatically and transparently provided as the response if one matches preferences expresses in the request's "Accept-Language:" request header field. Both text and non-text documents (e.g. images) may be provided using this mechanism. <p> Configuration information is provided in section <a class="link blank" target="_blank" href="../config/#languagevariants">Language Variants</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <li class="item"> <span class="high bold">Character Sets</span> <p> Generally the default character set for documents on the Web is ISO-8859-1 (Latin-1). The server allows the specification of any character set as a default for text document responses (plain and HTML). In addition, text document file types may be modified or additional ones specified that have a different character set associated with that type. Furthermore, specific character sets may be associated with mapping paths. A site can therefore relatively easily support multiple character set document resources. <p> In addition the server may be configured to dynamically convert one character set to another during request processing. This is supported using the VMS standard NCS character set conversion library. <p> For further information see [CharsetDefault], [CharsetConvert] and [AddType] in <a class="link blank" target="_blank" href="../config/#alphabeticlisting">Alphabetic Listing</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <li class="item"> <span class="high bold">Server Messages</span> <p> The server uses an administrator-customizable database of messages that can contain multiple language instances of some or all messages, using the Latin-1 character set (ISO8859-1). Although the base English messages can be completely changed and/or translated to provide any message text required or desired, a more convenient approach is to supplement this base set with a language-specific one. <p> One language is designated the prefered language. This would most commonly be the language appropriate to the geographical location and/or clientele of the server. Another language is designated the base language. This must have a complete set of messages and is a fall-back for any messages not configured for the additional language. Of course this base language would most commonly be the original English version. <p> More than just two languages can be supported. If the browser has <span class="high italic">prefered languages</span> set the server will attempt to match a message with a language in this preference list. If not, then the server-prefered and then the base language message would be issued, in that order. In this way it would be possible to simultaneously provide for English, French, German and Swedish audiences, just for example. <p> For message configuration information see <a class="link blank" target="_blank" href="../config/#messageconfiguration">Message Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <li class="item"> <span class="high bold">Server Dates</span> <p> Dates appearing in server-generated, non-administrative content (e.g. directory listings, not META-tags, which use Web-standard time formats) will use the natural language specified by any SYS$LANGUAGE environment in use on the system or specifically created for the server. <li class="item"> <span class="high bold">Virtual Services</span> <p> Virtual-server-associated mapping, authorization and character-sets allow for easy multiple language and environment sites. Further per-request tailoring may be deployed using conditional rule mapping described below. Single server can support multi-homed (host name) and multiple port services. <p> For virtual services information see <a class="link blank" target="_blank" href="../config/#configurationconsiderations">Configuration Considerations</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <li class="item"> <span class="high bold">Conditional Rule Mapping</span> <p> Mapping rules map requested URL paths to physical or other paths (see <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). Conditional rules are only applied if the request matches criteria such as prefered language, host address (hence geographical location to a certain extent), etc. This allows requests for generic documents (e.g. home pages) to be mapped to language versions appropriate to the above criteria. <p> For conditional mapping information see <a class="link blank" target="_blank" href="../config/#conditionalconfiguration">Conditional Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. </ul> <!-- source:0300_AUTHORIZATION.WASDOC --> <hr class="page"> <a id="3." href="#"></a> <a id="3.authenticationandauthorization" href="#"></a> <a id="authenticationandauthorization" href="#"></a> <h1 class="head"><span class="numb">3.</span><span class="text">Authentication and Authorization</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#3.1.ruleinterpretation"><span class="numb">3.1</span><span class="text">Rule Interpretation</span></a> <tr><td><a href="#3.2.authenticationpolicy"><span class="numb">3.2</span><span class="text">Authentication Policy</span></a> <tr><td><a href="#3.3.permissionspathanduser"><span class="numb">3.3</span><span class="text">Permissions, Path and User</span></a> <tr><td><a href="#3.4.authorizationconfigurationfile"><span class="numb">3.4</span><span class="text">Authorization Configuration File</span></a> <tr><td><a href="#3.5.authenticationsources"><span class="numb">3.5</span><span class="text">Authentication Sources</span></a> <tr><td><a href="#3.6.realmfullaccessreadonly"><span class="numb">3.6</span><span class="text">Realm, Full-Access, Read-Only</span></a> <tr><td><a href="#3.7.virtualservers"><span class="numb">3.7</span><span class="text">Virtual Servers</span></a> <tr><td><a href="#3.8.authorizationconfigurationexamples"><span class="numb">3.8</span><span class="text">Authorization Configuration Examples</span></a> <tr><td><a href="#3.8.1.kiss"><span class="numb">3.8.1</span><span class="text">KISS</span></a> <tr><td><a href="#3.9.authorizationcache"><span class="numb">3.9</span><span class="text">Authorization Cache</span></a> <tr><td><a href="#3.10.sysuafauthenticatedusers"><span class="numb">3.10</span><span class="text">SYSUAF-Authenticated Users</span></a> <tr><td><a href="#3.10.1.acme"><span class="numb">3.10.1</span><span class="text">ACME</span></a> <tr><td><a href="#3.10.2.logontype"><span class="numb">3.10.2</span><span class="text">Logon Type</span></a> <tr><td><a href="#3.10.3.rightsidentifiers"><span class="numb">3.10.3</span><span class="text">Rights Identifiers</span></a> <tr><td><a href="#3.10.4.wasdquothardwiredquotidentifiers"><span class="numb">3.10.4</span><span class="text">WASD "Hard-Wired" Identifiers</span></a> <tr><td><a href="#3.10.5.vmsaccountproxying"><span class="numb">3.10.5</span><span class="text">VMS Account Proxying</span></a> <tr><td><a href="#3.10.6.nilaccessvmsaccounts"><span class="numb">3.10.6</span><span class="text">Nil-Access VMS Accounts</span></a> <tr><td><a href="#3.10.7.sysuafandssl"><span class="numb">3.10.7</span><span class="text">SYSUAF and SSL</span></a> <tr><td><a href="#3.10.8.sysuafsecurityprofile"><span class="numb">3.10.8</span><span class="text">SYSUAF Security Profile</span></a> <tr><td><a href="#3.10.9.sysuafprofileforfullsiteaccess"><span class="numb">3.10.9</span><span class="text">SYSUAF Profile For Full Site Access</span></a> <tr><td><a href="#3.11.tokenauthentication"><span class="numb">3.11</span><span class="text">Token Authentication</span></a> <tr><td><a href="#3.12.skeletonkeyauthentication"><span class="numb">3.12</span><span class="text">Skeleton-Key Authentication</span></a> <tr><td><a href="#3.13.controllingserverwriteaccess"><span class="numb">3.13</span><span class="text">Controlling Server Write Access</span></a> <tr><td><a href="#3.14.securingallrequests"><span class="numb">3.14</span><span class="text">Securing All Requests</span></a> <tr><td><a href="#3.15.userpasswordmodification"><span class="numb">3.15</span><span class="text">User Password Modification</span></a> <tr><td><a href="#3.16.cancellingauthorization"><span class="numb">3.16</span><span class="text">Cancelling Authorization</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#2.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#4.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> <span class="high bold">Authentication</span> is the verification of a user's identity, usually through username/password credentials. <span class="high bold">Authorization</span> is allowing a certain action to be applied to a particular path based on authentication of the originator. <p> Generally, authorization is a two step process. First authentication, using a username/password database. Second authorization, determining what the username is allowed to do for this transaction. <p> Basic authorization was discussed in <a class="link blank" target="_blank" href="../config/#authorizationconfigurationbasics">Authorization Configuration (Basics)</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. This section discusses all the aspects of WASD authentication and authorization. <a id="3.0.0.0.1" href="#"></a> <a id="3.overview" href="#"></a> <a id="overview" href="#"></a> <h5 class="head"><span class="text">Overview</span></h5> <p> By default, the logical name <span class="high bold">WASD_CONFIG_AUTH</span> locates a common authorization rule file. Simple editing of the file and reloading into the running server changes the processing rules. <p> Server authorization is performed using a configuration file, authentication source, and optional full-access and read-only authorization grouping sources, and is based on per-path directives. There is no user-configured authorization necessary, or possible! In the configuration file paths are associated with the authentication and authorization environments, and so become subject to the HTTPd authorization mechanism. Reiterating … WASD HTTPd authorization administration involves those two aspects, setting authorization against paths and administering the authentication and authorization sources. <p> <span class="high bold">Authorization is applied to the request path (i.e. the path in the URL used by the client). Sometimes it is possible to access the same resource using different paths. Where this can occur care must be exercised to authorize all possible paths.</span> <p> <span class="high bold">Where a request will result in script activation, authorization is performed on both script and path components</span>. First script access is checked for any authorization, then the path component is independently authorized. Either may result in an authorization challenge/failure. This behaviour can be disabled using a path SETting rule, see <a class="link blank" target="_blank" href="../config/#setrule">SET Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <p> The <span class="high bold">authentication source</span> name is refered to as the <span class="high italic">realm</span>, and refers to a collection of usernames and passwords. It can be the system's SYSUAF database. <p> The <span class="high bold">authorization source</span> is refered to as the <span class="high italic">group</span>, and commonly refers to a collection of usernames and associated <span class="high italic">permissions</span>. <a id="3.1" href="#"></a> <a id="3.1.ruleinterpretation" href="#"></a> <a id="ruleinterpretation" href="#"></a> <h2 class="head"><span class="numb">3.1</span><span class="text">Rule Interpretation</span></h2> <p> The configuration file rules are scanned from first towards last, until a matching rule is encountered (or end-of-file). Generally a rule has a trailing wildcard to indicate that all sub-paths are subject to the same authorization requirements. <a id="3.1.0.0.1" href="#"></a> <a id="3.1.stringmatching" href="#"></a> <a id="stringmatching" href="#"></a> <h5 class="head"><span class="text">String Matching</span></h5> <p> Rule matching is string pattern matching, comparing the request specified path, and optionally other components of the request when using configuration conditionals <a class="link blank" target="_blank" href="../config/#conditionalconfiguration">Conditional Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>, to a series of patterns, until one of the patterns matches, at which stage the authorization characteristics are applied to the request and authentication processing is undertaken. If a matching pattern (rule) is not found the path is considered not to be subject to authorization. Both wildcard and regular expression based pattern matching is available <a class="link blank" target="_blank" href="../config/#stringmatching">String Matching</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <a id="3.2" href="#"></a> <a id="3.2.authenticationpolicy" href="#"></a> <a id="authenticationpolicy" href="#"></a> <h2 class="head"><span class="numb">3.2</span><span class="text">Authentication Policy</span></h2> <p> A <span class="high italic">policy</span> regarding when and how authorization can be used may be established on a per-server basis. This can restrict authentication challenges to "https:" (SSL) requests (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>), thereby ensuring that the authorization environment is not compromised by use in non-encrypted transactions. Two server qualifiers provide this. <ul class="list"> <li class="item"> <span class="high bold">/AUTHORIZE=</span> <ul class="list"> <li class="item"> <span class="high bold">ALL</span> restricts <span class="high bold">all</span> requests to authorized paths. If a path does not have authorization configured against it it is automatically denied access. This is an effective method of preventing inadvertant access to areas in a site (<a class="link" href="#3.14.securingallrequests">3.14 Securing All Requests</a>). <li class="item"> <span class="high bold">SSL</span> restricts <span class="high bold">all</span> authentication/authorization transactions to the SSL environment. <li class="item"> <span class="high bold">SSL,ALL)</span> combines the above two. </ul> <li class="item"> <span class="high bold">/SYSUAF=</span> <ul class="list"> <li class="item"> Used without any keywords, this qualifier allows all current (non-expired, non-disusered, etc.), non-privileged accounts to be used for authentication purposes. <li class="item"> <span class="high bold">ID</span> restricts SYSUAF authenticated account to those possessing a specific VMS resource identifier (<a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a>). <li class="item"> <span class="high bold">PROXY</span> allows non-SYSUAF to SYSUAF username proxying (<a class="link" href="#3.10.5.vmsaccountproxying">3.10.5 VMS Account Proxying</a>). <li class="item"> <span class="high bold">RELAXED</span> allows <span class="high bold">any</span> current account to be authorized via the SYSUAF. <span class="high bold">This is not recommended</span>, use rights identifiers to allow some discrimination to be exercised. <li class="item"> <span class="high bold">SSL</span> restricts only SYSUAF authenticated transactions to the SSL environment. <li class="item"> <span class="high bold">VMS</span> allows a combination of all current (non-expired, non-disusered, etc.), non-privileged accounts to be used for authentication purposes (the /SYSUAF without keywords behaviour), with the behaviours provided by the ID keyword. <li class="item"> <span class="high bold">WASD</span> enables the deprecated, "hard-wired" WASD identifier environment available to this server. See <a class="link" href="#3.10.4.wasdquothardwiredquotidentifiers">3.10.4 WASD "Hard-Wired" Identifiers</a>. <li class="item"> <span class="high bold">(VMS,ID,SSL)</span> would allow these multiple keywords to be applied, etc. </ul> </ul> <p> Note also that individual paths may be restricted to SSL requests using either the mapping conditional rule configuration or the authorization configuration files. See <a class="link blank" target="_blank" href="../config/#conditionalmapping">Conditional Mapping</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <p> In addition, the following configuration parameters have a direct role in an established authorization policy. <ul class="list"> <li class="item"> <span class="high bold">[AuthFailureLimit] [AuthFailurePeriod] [AuthFailureTimeout]</span> provide a similar break-in detection and evasion as with VMS. These three directives parallel the functions of SYSGEN parameters LGI_BRK_LIM, LGI_BRK_TMO, LGI_HID_TIM. A single authentication failure marks the particular username in the particular realm as suspect. Repeated failures up to [AuthFailureLimit] attempts within the [AuthFailurePeriod] period puts it into break-in evasion mode after which the period [AuthFailureTimeout] must expire before further attempts have authentication performed and so have any chance to succeed. (This is a change in behaviour to versions earlier than 8.3.) If any of the above three parameters are not specified they default to the corresponding SYSGEN parameter. <li class="item"> <span class="high bold">[AuthRevalidateLoginCookie]</span> When user revalidation is in effect (see immediately below), after having previously closed the browser initial authentication of a resource is immediately followed by another if a cached entry on the server indicated revalidation was required. This prevents this second request. Requires that browser cookies be enabled. <li class="item"> <span class="high bold">[AuthRevalidateUserMinutes]</span> sets the number of minutes between successive authentication attempts before the user is forced to reenter the authentication data (via a browser dialog). Zero disables this function. When enabling this feature is is inevitable that [AuthRevalidateLoginCookie] will need to be enabled as well (described immediately above). This is used to suppress an unavoidable second username/password prompt from the browser. <div class="note"> <a id="3.2.0.0.1" href="#"></a> <a id="3.2.authenticationcacheandrevalidation" href="#"></a> <a id="authenticationcacheandrevalidation" href="#"></a> <h5 class="head center"><span class="text">Authentication Cache and Revalidation</span></h5> <hr class="note_hr"> User revalidation relies on an entry being maintained in the authentication cache. Each time the entry is flushed, for whatever reason (cache congestion, command-line purge, server restart, etc.), the user will be prompted for credentials. It may be necessary to increase the size of the cache by adjusting [AuthCacheEntriesMax] when this facility is enabled. <hr class="note_hr"> </div> </ul> <a id="3.2.0.0.2" href="#"></a> <a id="3.2.authenticationfailures" href="#"></a> <a id="authenticationfailures" href="#"></a> <h5 class="head"><span class="text">Authentication Failures</span></h5> <p> Details of authentication failures are logged to the server process log. <ul class="list"> <li class="item"> <span class="high bold">HTTPD-W-AUTHFAIL</span> indicates a failure to authenticate (incorrect username/password). The number of failures, the realm name, the user name and the originating host are provided. Isolated instances of this are only of moderate interest. Consecutive instances may indicate a user thrashing about for the correct password, but they usually give up before a dozen attempts. <li class="item"> <span class="high bold">HTTPD-I-AUTHFAILOK</span> advises that a previous failure to authenticate has now successfully done so. This is essentially informational. <li class="item"> <span class="high bold">HTTPD-W-AUTHFAILIM</span> indicates the number of failures have exceeded the [AuthFailureLimit], after which automatic refusal begins. This message should be of concern and the circumstances investigated, especially if the number of attempts becomes excessive. </ul> <p> Failures may also be directed to the OPCOM facility <a class="link blank" target="_blank" href="../config/#opcomlogging">OPCOM Logging</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <a id="3.3" href="#"></a> <a id="3.3.permissionspathanduser" href="#"></a> <a id="permissionspathanduser" href="#"></a> <h2 class="head"><span class="numb">3.3</span><span class="text">Permissions, Path and User</span></h2> <p> <span class="high bold">Both paths and usernames have permissions associated with them.</span> A path may be specified as read-only, read and write, write-only (yes, I'm sure someone will want this!), or none (permission to do nothing). A username may be specified as read capable, read and write capable, or only write capable. For each transaction these two are combined to determine the maximum level of access allowed. The allowed action is the logical AND of the path and username permissions. <p> The permissions may be described using the HTTP method names, or using the more concise abbreviations R, W, and R+W. <a id="3.3.0.0.1" href="#"></a> <a id="3.3.httpmethods" href="#"></a> <a id="httpmethods" href="#"></a> <h5 class="head"><span class="text">HTTP Methods</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Path/User <th class="tabh">DELETE <th class="tabh">GET <th class="tabh">HEAD <th class="tabh">POST <th class="tabh">PROPFIND <th class="tabh">PUT <th class="tabh">WebDAV <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">READ or R <td class="tabd">no <td class="tabd">yes <td class="tabd">yes <td class="tabd">no <td class="tabd">yes <td class="tabd">no <td class="tabd">no <tr class="tabr"> <td class="tabd">WRITE or W <td class="tabd">yes <td class="tabd">no <td class="tabd">no <td class="tabd">yes <td class="tabd">no <td class="tabd">yes <td class="tabd">yes <tr class="tabr backlight"> <td class="tabd">R+W <td class="tabd">yes <td class="tabd">yes <td class="tabd">yes <td class="tabd">yes <td class="tabd">yes <td class="tabd">yes <td class="tabd">yes <tr class="tabr"> <td class="tabd">NONE <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <tr class="tabr backlight"> <tr class="tabr backlight"> <td class="tabd">DELETE <td class="tabd">yes <td class="tabd">yes <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <tr class="tabr"> <td class="tabd">GET <td class="tabd">no <td class="tabd">yes <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <tr class="tabr backlight"> <td class="tabd">HEAD <td class="tabd">no <td class="tabd">no <td class="tabd">yes <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <tr class="tabr"> <td class="tabd">POST <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">yes <td class="tabd">no <td class="tabd">no <td class="tabd">no <tr class="tabr backlight"> <td class="tabd">PROPFIND <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">yes <td class="tabd">no <td class="tabd">no <tr class="tabr"> <td class="tabd">PUT <td class="tabd">no <td class="tabd">yes <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">yes <td class="tabd">no <tr class="tabr backlight"> <td class="tabd">Other WebDAV <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">no <td class="tabd">yes </table> <a id="3.4" href="#"></a> <a id="3.4.authorizationconfigurationfile" href="#"></a> <a id="authorizationconfigurationfile" href="#"></a> <h2 class="head"><span class="numb">3.4</span><span class="text">Authorization Configuration File</span></h2> <p> Requiring a particular path to be authorized in the HTTP transaction is accomplished by applying authorization requirements against that path in a configuration file. This is an activity distinct from setting up and maintaining any authentication/authorization databases required for the environment. <p> By default, the system-table logical name <span class="high bold">WASD_CONFIG_AUTH</span> locates a common authorization configuration file, unless an individual rule file is specified using a job-table logical name. Simple editing of the file changes the configuration. Comment lines may be included by prefixing them with the hash "#" character, and lines continued by placing the backslash character "\" as the last character on a line. <p> The [IncludeFile] is a directive common to all WASD configuration, allowing a separate file to be included as a part of the current configuration. (see <a class="link blank" target="_blank" href="../config/#includefiledirective">Include File Directive</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <p> Configuration directives begin either with a "[realm]", "[realm;group]" or "[realm;group-r+w;group-r]" specification, with the forward-slash of a path specification, or with a "[AuthProxy]" or "[AuthProxyFile]" introducing a proxy mapping. Following the path specification are HTTP method keywords controlling group and world permissions to the path, and any <span class="high bold">access-restricting</span> request scheme ("https:") and/or host address(es) and/or username(s). <ul class="list"> <li class="item"> <span class="high bold">REALM</span> <p> Square brackets are used to enclose a [realm;group;group] specification, introducing a new authentication grouping. Within these brackets is specified the realm name (authentication source), and then optional group (authorization source) names separated by semi-colons. All path specifications following this are authenticated against the specified realm database, and permissions obtained from the group "[realm;group]" database (or authentication database if group not specified), until the next [realm;group;group] specification. <p> The following shows the format of an authentication source (realm) only directive. <div class="blockof code">[authentication-source] </div> <p> This one, the format of a directive using both authentication and authorization sources (both realm and group). <div class="blockof code">[authentication-source ; authorization-source] </div> <p> The third variation, using an authentication, full-access (read and write) and read-only authorization sources (realm and two grouping). <div class="blockof code">[authentication-source ; full-access-source ; read-only-source] </div> <p> The authentication source may also be given a description. This is the text the browser dialog presents during password prompting. See <a class="link" href="#3.5.realmdescription">‘Realm Description’ in 3.5 Authentication Sources</a>. <li class="item"> <span class="high bold">PATH</span> <p> Paths are usually specified terminated with an asterisk wildcard. This implies that any directory tree below this is included in the access control. Wildcards may be used to match any portion of the specified path, or not at all. Following the path specification are control keywords representing the HTTP methods or permissions that can be applied against the path, and optional access-restricting list of host address(es) and/or username(s), separated using commas. Access control is against either or both the group and the world. The group access is specified first followed by a semi-colon separated world specification. The following show the format of the path directive, see the examples below to further clarify the format. <div class="blockof code">/root/path/ group-access-list,group-permissions ; \ world-access-list,world-permissions </div> <li class="item"> <span class="high bold">PROXY</span> <p> The [AuthProxy] and [AuthProxyFile] directives introduces one or more SYSUAF proxy mappings (<a class="link" href="#3.10.5.vmsaccountproxying">3.10.5 VMS Account Proxying</a>). </ul> <p> <span class="high bold">The same path cannot be specified against two different realms for the same virtual service.</span> The reason lies in the HTTP authentication schema, which allows for only one realm in an authentication dialog. How would the server decide which realm to use in the authentication challenge? Of course, different parts of a given tree may have different authorizations, however any tree ending in an asterisk results in the entire sub-tree being controlled by the specified authorization environment, unless a separate specification exists for some inferior portion of the tree. <p> There is a thirty-one character limit on authentication source names. <a id="3.4.0.0.1" href="#"></a> <a id="3.4.reservednames" href="#"></a> <a id="reservednames" href="#"></a> <h5 class="head"><span class="text">Reserved Names</span></h5> <p> The following realm names are reserved and have special functionality. <ul class="list"> <li class="item"> <span class="high bold">EXTERNAL – </span> Any authentication and authorization will be done in some way by an external CGI script. None is attempted by the server. The server does pre-processs the supplied "Authorization:" field however and ensures that any request against a path with this realm supplies authorization credentials before any further request processing (script activation) occurs. <li class="item"> <span class="high bold">NONE – </span> This refers to any request, is not authenticated in a any way, and just marks the path as having been authorized for access (<a class="link" href="#3.14.securingallrequests">3.14 Securing All Requests</a>). <li class="item"> <span class="high bold">OPAQUE – </span> Allows a script generating its own challenge/response and doing all its own "Authorization:" field processing (a little like EXTERNAL but the server does absolutely nothing). <li class="item"> <span class="high bold">PROMISCUOUS – </span> This realm is only available while the /PROMISCUOUS qualifier is in use (<a class="link" href="#9.serveradministration">9. Server Administration</a>). <li class="item"> <span class="high bold">RFC1413 – </span> This IETF document describes an identification protocol that can be used as a form of <span class="high italic">authentication</span> within this realm. <li class="item"> <span class="high bold">TOKEN – </span> A <span class="high italic">token</span> is a short-lived, cookie delivered, representation of authentication established in another context. <li class="item"> <span class="high bold">WORLD – </span> This refers to any request and is not authenticated in any way, only the permissions associated with the path are applied to the request. The reserved username "WORLD" becomes the authenticated username. <li class="item"> <span class="high bold">VMS – </span> Use the server system's SYSUAF database to authenticate the username. For "http:" requests the username/password pairs are transmitted encoded but not encrypted, <span class="high bold" style="color:red;">so this is not recommended</span>. For "https:" requests, using the implicit security offered by SSL (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) the use of SYSUAF authentication is considered viable. <p> By default accounts with SYSPRV authorized are always rejected to discourage the use of potentially significant usernames (e.g. SYSTEM). Accounts that are disusered, have passwords that have expired, or that are captive or restricted are also automatically rejected. <p> The authentication source may be disguised by giving it a specific description. This will the text the browser dialog presents during password prompting. See <a class="link" href="#3.5.realmdescription">‘Realm Description’ in 3.5 Authentication Sources</a>. <p> See <a class="link" href="#3.10.sysuafauthenticatedusers">3.10 SYSUAF-Authenticated Users</a> for further information on these topics. <li class="item"> <span class="high bold">X509 - </span> Uses X.509 v3 certificates (browser client certificates) to establish identity (authentication) and based on that identity control access to server resources (authorization). This is only available for SSL transactions. See <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a> for further information on SSL, and <a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a> on X509 realm authorization. </ul> <a id="3.4.0.0.2" href="#"></a> <a id="3.4.reservedusername" href="#"></a> <a id="reservedusername" href="#"></a> <h5 class="head"><span class="text">Reserved Username</span></h5> <p> The following username is reserved. <ul class="list"> <li class="item"> <span class="high bold">WORLD – </span> If a path is authorized using the WORLD realm the pseudo-authenticated username becomes "WORLD". Any log will reflect this username and scripts will access a WWW_REMOTE_USER containing this value. Although not forbidden, it is not recommended this string be used as a username in other realms. </ul> <a id="3.4.0.0.3" href="#"></a> <a id="3.4.accessrestrictionkeywords" href="#"></a> <a id="accessrestrictionkeywords" href="#"></a> <h5 class="head"><span class="text">Access Restriction Keywords</span></h5> <p> If a host name, protocol identifier or username is included in the path configuration directive it acts to <span class="high bold">further</span> limit access to matching clients (path and username permissions still apply). If more than one are included a request must match each. If multiple host names and/or usernames are included the client must match at least one of each. Host and username strings may contains the asterisk wildcard, matching one or more consecutive characters. This is most useful when restricting access to all hosts within a given domain, etc. In addition a VMS security profile may be associated with the request. <ul class="list"> <li class="item"> <span class="high bold">Host Names – </span> may be specified as either alphabetic (if DNS name resolution is enabled, see [DNSlookup] configuration directive) or literal addresses. When a host restriction occurs there is never an attempt to authenticate any associated username. Hence applying host restrictions very effectively prevents an attack from outside the allowed addresses. The reserved word <span class="high italic display0">localhost</span> refers to the host name the server is executing on. <li class="item"> <span class="high bold">Network Mask – </span> The mask is a dotted-decimal network address, a slash, then a dotted-decimal mask or VLSM (variable-length subnet mask). A network mask operates by bitwise-ANDing the client host address with the mask, bitwise-ANDing the network address supplied with the mask, then comparing the two results for equality. <li class="item"> <span class="high bold">Request Scheme – </span> (protocol) either "http:" or secured via "https:" (SSL) <li class="item"> <span class="high bold">User Names – </span> are indicated by a leading tilde, the "~" character (similar or username URL syntax). <li class="item"> <span class="high bold">Profile – </span> a SYSUAF-authenticated username can have its VMS security profile associated with the request. When applied to a path this profile is used to determine access to the file system. The WASD_CONFIG_AUTH configuration file can have the keyword "profile" added to the restriction list (<a class="link" href="#3.10.8.sysuafsecurityprofile">3.10.8 SYSUAF Security Profile</a>). In a manner-of-speaking this keyword lifts a restriction. </ul> For example <div class="blockof code">/web/secret/* *.three.stooges,~Moe,~Larry,~Curly,read </div> restricts read access to Curly, Larry and Moe accessing from within the three.stooges network, while <div class="blockof code">/web/secret/* https:,*.three.stooges,~Moe,~Larry,~Curly,read </div> applies the further restriction of access via "https:" (SSL) only. <p> These examples show the use of a network mask to restrict based on the source network of the client. The first, four octets supplied as a mask. The second a VLSM used to specify the length of the network component of the address. <div class="blockof code">/web/secret/* https:,#131.185.250.128/255.255.255.192,~Moe,~Larry,~Curly,read /web/secret/* https:,#131.185.250.128/26,~Moe,~Larry,~Curly,read </div> <p> These examples both specify a 6 bit subnet. With the above examples the host 131.185.250.250 would be accepted, but 131.185.250.50 would be rejected. <p> Note that it more efficient to place <span class="high italic">protocol</span> and <span class="high italic">host</span> restrictions at the front of a list. <a id="3.5" href="#"></a> <a id="3.5.authenticationsources" href="#"></a> <a id="authenticationsources" href="#"></a> <h2 class="head"><span class="numb">3.5</span><span class="text">Authentication Sources</span></h2> <p> Authentication credentials may be validated against one of several sources, each with different characteristics. <ul class="list"> <li class="item"> <span class="high bold">VMS Rights Identifier</span> <p> An identifier is indicated by appending a "=ID" to the name of the realm or group. Also refer to <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a>. <p> Whether or not any particular username is allowed to authenticate via the SYSUAF may be controlled by that account holding or not holding a particular rights identifier. Placing "=ID" against realm name implies the username must exist in the SYSUAF and hold the specified identifier name. <div class="blockof code">[PROJECT_A=id] </div> <p> When (and only when) a username has been authenticated via the SYSUAF, rights identifiers associated with that account may be used to control the level-of-access within that realm. This is in addition to any identifier controlling authentication itself. <div class="blockof code">[PROJECT_A=id;PROJECT_A_LIBRARIAN=id;PROJECT_A_USER=id] </div> <p> In this example a username would need to hold the PROJECT_A identifier to be able to authenticate, PROJECT_A_LIBRARIAN to write the path(s) (via POST, PUT) and PROJECT_A_USER to be able to read the path(s). <li class="item"> <span class="high bold">VMS Authentication</span> <p> The server system SYSUAF may be used to authenticate usernames using the VMS account name and password. The realm being VMS may be indicated by using the name "VMS", by appending "=VMS" to another name making it a <span class="high italic">VMS synonym</span>, or by giving it a specific description ( in ). Further information on SYSUAF authentication may be found in . These examples illustrate the general idea. <div class="blockof code">[VMS] [LOCAL=vms] [ANY_NAME_AT_ALL=vms] </div> <li class="item"> <span class="high bold">ACME</span> <p> Three Authentication and Credential Management Extension (ACME) agents are currently available (as at VMS V8.3 and WASD v9.3), "VMS" (SYSUAF), "MSV1_0" (Microsoft domain authentication used by Advanced Server) and an LDAP kit. There is also an API that will allow local or third-party agents to be developed. WASD ACME authentication is completely asynchronous and so agents that make network or other relatively latent queries will not add granularity into server processing. By default ACME is used to authenticate requests against the SYSUAF on Alpha and Itanium running VMS V7.3 or later (<a class="link" href="#3.10.1.acme">3.10.1 ACME</a>). <p> For authorization rules explicitly specifying ACME the Domain Of Interpretation (DOI) becomes the realm name, interposed between the relam description and the ACME authentication source keyword. In this first example the DOI is VMS and so all WASD SYSUAF authentication capabilities are available. <div class="blockof code">["ACME Coyote"=VMS=ACME;JIN_PROJECT=id] /a/path/* r+w,https: </div> <p> In the second example authentication is performed using the same credentials as Advanced Server running on the local system. <div class="blockof code">["PC Users"=MSV1_0=ACME] /a/nuther/path/* r+w,https: </div> <p> In this final example the DOI is a third-party agent. <div class="blockof code">["More ACME"=THIRD-PARTY=ACME] /a/different/path/* r+w,https: </div> <li class="item"> <span class="high bold">Simple List</span> <p> A plain-text list may be used to provide usernames for group membership. The format is one username per line, at the start of the line, with optional, white-space delimited text continuing along the line (which could be used as documentation). Blank lines and comment lines are ignored. A line may be continued by ending it with a "\" character. These files may, of course, be created and maintained using any plain text editor. They must exist in the WASD_AUTH: directory, have an extension of ".$HTL", and do not need to be world accessible. <div class="blockof code"># the stooges curley Jerome Horwitz larry Louis Feinberg moe Moses Horwitz shemp Samuel Horwitz JoeBesser JoeDeRita </div> <p> Simple lists are indicated in the configuration by appending a "=LIST" to the name. <div class="blockof code">[VMS;STOOGES=list] </div> <p> It also possible to use a simple list for authentication purposes. The plain-text password is appended to the username with a trailing equate symbol. Although in general this is not recommended as everything is stored as plain-text it may be suitable as an ad hoc solution in some circumstances. The following example shows the format. <div class="blockof code"># silly example fred=dancesalittle Guess who? ginger=rogers No second prizes! </div> <li class="item"> <span class="high bold">HTA Database</span> <p> These are binary, fixed 512 byte record files, containing authentication and authorization information. HTA databases may be used for authentication and group membership purposes. The content is much the same, the role differs according to the location in the realm directive. These databases may be administered using the online Server Administration facility (<a class="link" href="#9.5.httpdserverrevise">9.5 HTTPd Server Revise</a>) or the HTAdmin command-line utility (<a class="link" href="#13.8.htadmin">13.8 HTAdmin</a>). They are located in the WASD_AUTH: directory and have an extension of ".$HTA". <p> (Essentially for historical reasons) HTA databases are the default sources for authorization information. Therefore, using just a name, with no trailing "=<span class="high italic">something</span>", will configure an HTA source. Also, and recommended for clearly showing the intention, appending the "=HTA" qualifier specifies an HTA database. The following example show some of the variations. <div class="blockof code">[VMS;PROJECT_A=hta] [DEVELOPERS=hta;PROJECT_A=hta] </div> <li class="item"> <span class="high bold">X.509 Client Certificate</span> <p> Uses X.509 v3 certificates (browser client certificates) to establish identity (authentication) and based on that identity control access to server resources (authorization). This is only available for SSL transactions. See <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a> for further information on SSL, and <a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a> on X509 realm authorization. <li class="item"> <span class="high bold">RFC1413 Indentification Protocol</span> <p> From RFC1413 (M. St.Johns, 1993) … <div class="blockof quote"> The Identification Protocol (a.k.a., "ident", a.k.a., "the Ident Protocol") provides a means to determine the identity of a user of a particular TCP connection. Given a TCP port number pair, it returns a character string which identifies the owner of that connection on the server's system. </div> and … <div class="blockof quote">The information returned by this protocol is at most as trustworthy as the host providing it OR the organization operating the host. For example, a PC in an open lab has few if any controls on it to prevent a user from having this protocol return any identifier the user wants. Likewise, if the host has been compromised the information returned may be completely erroneous and misleading. <p> The Identification Protocol is not intended as an authorization or access control protocol. At best, it provides some additional auditing information with respect to TCP connections. At worst, it can provide misleading, incorrect, or maliciously incorrect information. </div> <p> Nevertheless, RFC1413 may be useful for some purposes in some heterogeneous environments, and so has been made available for <span class="high italic">authentication</span> purposes. <div class="blockof code">[RFC1413] ["Descriptions can be used!"=RFC1413;A_PROJECT=list] </div> <p> The RFC1413 realm generates no browser username/password dialog. It relies on the system supporting the client to return a reliable identification of the user accessing the HTTP server by looking-up the user of the server connection's peer port. <li class="item"> <span class="high bold">Authorization Agent</span> <p> An authorization agent is a CGI-compliant CGIplus script that is specially activated during the authorization processing. Using CGI environment variables it gets details of the request, makes an assessment based on its own internal authentication/authorization processing, and using the script <span class="high italic">callout</span> mechanism returns the results to the server, which then acting on these, allows or denies access. <p> Such agents allow a site to develop local authentication/authorization mechnisms relatively easily, based on CGI principles. A discussion of such a development is not within the scope of this section, see the <a class="link blank" target="_blank" href="../scripting/scripting.html">WASD Web Services - Scripting</a> document for information on the use of callouts, and the example and working authorization agents provided in the <a class="link blank" target="_blank" href="/wasd_root/src/agent/*.*">WASD_ROOT:[SRC.AGENT]</a> directory. The description at the beginning of these programs covers these topics in some detail. <p> An authorization agent would be configured using something like the following, where the "AUTHAGENT" is the actual script name doing the authorization. This has the the path "/cgiauth-bin/" prepended to it. <div class="blockof code">["Example Agent"=AUTHAGENT_EXAMPLE=agent] /some/path/or/other/* r+w </div> <p> It is possible to supply additional, per-path information to an agent. This can be any free-form text (up to a maximum length of 63 characters). This might be a configuration file location, as used in the example CEL authenticator. For example <div class="blockof code">["CEL Authenticator"=AUTHAGENT_CEL=agent] /some/path/or/other/* r+w,param=WASD_ROOT:[LOCAL]CEL1.LIS /a/nother/path/* r+w,param=WASD_ROOT:[LOCAL]CEL2.LIS </div> <p> Generally authorization agent scripts use 401/WWW-Authorize: transactions to establish identity and credentials. It is possible for an agent to establish identity outside of this using mechanisms available only to itself. In this case it is necessary suppress the usually automatic generation of username/password dialogs using a realm of <span class="high italic">agent+opaque</span> <div class="blockof code">[AUTHAGENT_PAPI=agent+opaque] /papi/path/or/other/* r+w /a/nother/papi/path/* r+w </div> <p> An older mechanism required a leading parameter of "/NO401". It is included here only for reference. The <span class="high italic">agent+opaque</span> realm should now always be used. <div class="blockof code">["Another Authenticator"=AUTHAGENT_ANOTHER=agent] /some/path/or/other/* r+w,param="/NO401 MORE PARAMETERS CAN BE SUPPLIED" /a/nother/path/* r+w,param="/NO401 OTHER PARAMETERS CAN BE SUPPLIED" </div> <p> It is necessary to have the following entry in the WASD_CONFIG_MAP configuration file: <div class="blockof code">exec+ /cgiauth-bin/* /cgi-bin/* </div> <p> This allows authentication scripts to be located outside of the general server tree if desired. <li class="item"> <span class="high bold">Token</span> <p> A <span class="high italic">token</span> is a short-lived, cookie delivered, representation of authentication established in another context. Originally devised to allow controlled access to very large datasets without the overhead of SSL in the transmission but with access credentials supplied in the privacy of an SSL connection. The cookie contains NO CREDENTIAL data at all and the authenticator manages an internal database of these so it can determine whether any supplied token is valid and when that token has expired. By default (and commonly) token authorisation occurs in non-SSL space (http:) and the credential authorisation in SSL space (https:). <p> Token authorisation is described in <a class="link" href="#3.11.tokenauthentication">3.11 Token Authentication</a>). <li class="item"> <span class="high bold">Host Group</span> <p> Instead of a list of usernames contained in a database, a group within a realm (either or both <span class="high italic">full-access-source</span> or <span class="high italic">read-only-source</span>, see <a class="link" href="#3.4.authorizationconfigurationfile">3.4 Authorization Configuration File</a>) may be specified as a host, group of hosts or network mask. This acts to restrict all requests from clients not matching the IP address specification. Unlike the per-path access restrict list (<a class="link" href="#3.4.accessrestrictionkeywords">‘Access Restriction Keywords’ in 3.4 Authorization Configuration File</a>) this construct applies to all paths in the realm. It also offers relative efficiencies over restriction lists and lends itself to some environments based on per-host identification (e.g. the RFC1413 realm). Note that IP addresses can be <span class="high italic">spoofed</span> (impersonated) so this form of access control should be deployed with some caution. <div class="blockof code">[RFC1413;131.185.250.*] /path1/to/be/authorized/* r+w [RFC1413;131.185.250.0/24] /path2/to/be/authorized/* r+w [RFC1413;131.185.250.0/255.255.255.0] /path3/to/be/authorized/* r+w </div> <p> The examples of realm specifications above all act to restrict read-write access via the RFC1413 realm to hosts within the 131.185.250.<span class="high italic">nnn</span> subnet. <li class="item"> <span class="high bold">External</span> <p> Generally the WASD model is for the server to perform authorisation processing and so the password never becomes visible at the application level. For scripting environments performing their own authentication the server will decode and parse the request "Authorization:" header for paths under the EXTERNAL realm. <div class="blockof code">[EXTERNAL] /some/path/or/other/* r+w </div> <p> The various authentication data are then provided in the CGI variables <ul class="list simple list0"> <li class="item"> AUTH_TYPE <li class="item"> AUTH_ACCESS <li class="item"> AUTH_PASSWORD <li class="item"> AUTH_REALM <li class="item"> AUTH_REALM_DESCRIPTION <li class="item"> HTTP_AUTHORIZATION <li class="item"> REMOTE_USER </ul> <li class="item"> <span class="high bold">Opaque</span> <p> If the script is performing its own authentication and authorisation using the raw request header then the server needs to be advised of this by placing the required paths under the OPAQUE realm. <div class="blockof code">[OPAQUE] /another/path/* r+w </div> <p> The server will then provide only the "Authorization:" header data in the cgi variable HTTP_AUTHORIZATION from which the username and password may processed. </ul> <a id="3.5.0.0.1" href="#"></a> <a id="3.5.multiplesourcetypes" href="#"></a> <a id="multiplesourcetypes" href="#"></a> <h5 class="head"><span class="text">Multiple Source Types</span></h5> <p> A realm directive may contain one or more different types of authorization information source, with the following restrictions. <ul class="list"> <li class="item"> Rights identifiers may only be used with SYSUAF authenticated requests. The following combinations would therefore not be allowed. <div class="blockof code">[DEVELOPERS;PROJECT_A=id] [DEVELOPERS=hta;LIBRARIAN=id;PROJECT_A=list] [STOOGES=list;MOE_HOWARD=id] </div> <li class="item"> WASD rights identifiers (deprecated) may only be used for group membership when the /AUTHORIZE=WASD server qualifier has been specified at startup, and the username has been authenticated using a WASD identifier. See <a class="link" href="#3.10.4.wasdquothardwiredquotidentifiers">3.10.4 WASD "Hard-Wired" Identifiers</a>. </ul> <a id="3.5.0.0.2" href="#"></a> <a id="3.5.realmdescription" href="#"></a> <a id="realmdescription" href="#"></a> <h5 class="head"><span class="text">Realm Description</span></h5> <p> It is possible to supply text describing the authentication realm to the browser user that differs from the actual source name. This may be used to disguise the actual source or to provide a more informative description than the source name conveys. <p> Prefixing the actual realm source name with a double-quote delimited string (of up to 31 characters) and an equate symbol will result in the string being sent to a browser as the realm description during an authentication challenge. Here are some examples. <div class="blockof code">["the local host"=VMS] ["Social Club"=SOCIAL_CLUB_RW=id] ["Finance Staff"=FINANCE=list] ["Just Another Database"=DBACCESS=hta] </div> <div class="note"><a id="3.5.0.0.2.1" href="#"></a> <a id="3.5.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> The <span class="high italic">Digest</span> authentication scheme uses the realm description at both server and browser in the encrypted password challenge and response. When passwords are stored in an HTA file this realm synonym cannot be changed without causing these passwords to be rendered invalid. <hr class="note_hr"> </div> <a id="3.6" href="#"></a> <a id="3.6.realmfullaccessreadonly" href="#"></a> <a id="realmfullaccessreadonly" href="#"></a> <h2 class="head"><span class="numb">3.6</span><span class="text">Realm, Full-Access, Read-Only</span></h2> <p> WASD authorization offers a number of combinations of access control. This is a summary. Please note that when refering to the <span class="high italic">level-of-access</span> a particular username may be allowed (read-only or full, read-write access), that it is always moderated by the level-of-access provided with a path configured within that realm. See <a class="link" href="#3.3.permissionspathanduser">3.3 Permissions, Path and User</a>. <ul class="list"> <li class="item"> <span class="high bold">Authentication Only</span> <p> When a path is controlled by a realm that comprises an authentication source only, as in this example <div class="blockof code">[authentication-source] </div> usernames authenticated using that are granted full (read and write) access. <li class="item"> <span class="high bold">Authentication and Group</span> <p> Where a group membership source is provided following the authentication source, as illustrated in this example <div class="blockof code">[authentication-source;group-source] </div> the level-of-access depends on the source of the group membership. If from a <span class="high italic">simple-list</span> of usernames or via a <span class="high italic">VMS rights identifier</span> the username receives full (read and write) access. If from an HTA database the access is dependent on what is set against that user in the database. It can be either full or read-only. <li class="item"> <span class="high bold">Authentication and Two Groups</span> <p> When a second group is specified, as in <div class="blockof code">[authentication-source;group-source;group-source] </div> the authentication is interpreted in a fixed fashion. The first group specified contains usernames to be granted full (read and write) access. The second group read-only access. Should a username occur in both groups full access takes precedence. <p> The second group may be specified as an asterisk wildcard ("*") which is interpreted as <span class="high italic">everyone else</span> (i.e. everyone else gets read-only access). </ul> <a id="3.7" href="#"></a> <a id="3.7.virtualservers" href="#"></a> <a id="virtualservers" href="#"></a> <h2 class="head"><span class="numb">3.7</span><span class="text">Virtual Servers</span></h2> <p> As described in <a class="link blank" target="_blank" href="../config/#virtualservices">Virtual Services</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>, virtual service syntax may be used with authorization mapping to selectively apply rules to one specific service. This example provides the essentials of using this syntax. Note that service-specific and service-common rules may be mixed in any order allowing common authorization environments to be shared. <div class="blockof code"># authorization rules example for virtual servers [[alpha.example.com:443]] # ALPHA SSL is the only service permitting VMS (SYSUAF) authentication [LOCAL=vms] /web/* https:,r+w ; r /httpd/-/admin/* ~daniel,https:,r+w [[beta.example.com:80]] # BETA has its own HTA database [BETA_USER=hta] /web/* r+w ; r [[gamma.example.com:80]] # GAMMA likewise [GAMMA_DEVELOPER=id;PROJECT-A=list] /web/project/a/* r+w ; r [GAMMA_DEVELOPER=id;PROJECT-B=list] /web/project/b/* r+w ; r [[*]] # allow anyone from the local subnet to upload to here [WORLD] /web/unload/* 131.185.200.*,r+w </div> <p> The online Server Administration facility path authorization report (<a class="link" href="#9.4.httpdserverreports">9.4 HTTPd Server Reports</a>) provides a selector allowing the viewing and checking of rules showing all services or only one particular virtual server, making it simpler to see exactly what any particular service is authorizing against. <a id="3.8" href="#"></a> <a id="3.8.authorizationconfigurationexamples" href="#"></a> <a id="authorizationconfigurationexamples" href="#"></a> <h2 class="head"><span class="numb">3.8</span><span class="text">Authorization Configuration Examples</span></h2> <p> Mixed case is used in the configuration examples (and should be in configuration files) to assist in readability. Rule interpretation however is completely case-insensitive. <ol class="list"> <li class="item"> In the following example the authentication realm is "WASD", a synonym for SYSUAF authentication, and the permissions group "SOCIALCLUB", a simple list of usernames. The directive allows those authenticated from the WASD realm and in the SOCIALCLUB group full access (read and write), and the world read-only. <div class="blockof code">[WASD=vms;SOCIALCLUB=list] /web/socialclub/* r+w ; read </div> <li class="item"> This example illustrates restricting access according internet address. Both the group and world restriction is identical, but the group address is being specified numerically, while the world access is being specified alphabetically (just for the purposes of illustration). This access check is done doing simple wildcard comparison, and makes numerical specifications potentially more efficient because they are usually shorter. The second line restricts that path's write access even further, to one username, "BLOGGS". <div class="blockof code">[WASD=vms;SOCIALCLUB=list] /web/socialclub/* 131.185.45.*,get,post; *.example.com,get /web/socialclub/accounts/* 131.185.45.*,~BLOGGS,get,post; *.example.com,get </div> <li class="item"> Three sources for authorization are specified in the following example. As the authentication source is VMS (by rights identifier), the full-access group and read-only group can also be determined by possessing the specified identifiers. The first path can only be written to by those holding the full-access identifier (librarian), the second path can only be read by both. The world has no access to these paths. <div class="blockof code">[DEVELOPER=id;PROJECT_A_LIBRARIAN=id;PROJECT_A_USER=id] /web/projects/a/* r+w /web/projects/* r </div> <li class="item"> This example is the same as the one above, except in this case everyone else (that can authenticate against the resource) gets read-only access to the projects. <div class="blockof code">[DEVELOPER=id;PROJECT_A_LIBRARIAN=id;*] /web/projects/a/* r+w /web/projects/* r </div> <li class="item"> In the following example the authentication realm and group are a single HTA database, "ADMIN". The first directive allows those in the ADMIN group to read and write, and the world to read ("get,post;get"). The second line restricts write and even read access to ADMIN group, no world access at all ("get,post"). <div class="blockof code">[ADMIN=hta] /web/everyone/* get,post;get /web/select/few/* get,post </div> <li class="item"> With this example usernames are used to control access to the specified paths. These usernames are authenticated from the COMPANY database. The world has read access in both cases. Note the realm description, "The Company". <div class="blockof code">["The Company"=COMPANY=hta] /web/docs/* ~Howard,~George,~Fred,r+w ; r /web/accounts/* ~George,r+w ; r </div> <li class="item"> The following example shows a path specifying the local system's SYSUAF being used to authenticate any usernames. Whenever using SYSUAF authentication it is <span class="high bold">strongly recommended to limit the potential hosts</span> that can authenticate in this way by always using a host-limiting access restriction list. The world gets read access. <div class="blockof code">[VMS] /web/local/area/* 131.185.250.*,r+w ; r </div> <li class="item"> To restrict server administration to browsers executing on the server system itself and the SYSUAF-authenticated username DANIEL use a restriction list similar to the following. It also shows the use of SYSUAF-authentication being hidden by using a realm description. <div class="blockof code">["not the VMS SYSUAF"=VMS] /httpd/-/admin/* #localhost,~daniel,r+w </div> <li class="item"> This example uses the RFC1413 <span class="high italic">identification protocol</span> as the authentication source and a host group to control full access to paths in the realm. <div class="blockof code">["Ident Protocol"=RFC1413;131.185.250.0/24] /web/local/* r+w </div> <li class="item"> The following example illustrates providing a read and writable area (GET, POST and PUTable) to hosts in the local network <span class="high bold">without username authentication</span> (careful!). <div class="blockof code">[WORLD] /web/scratch/* *.local.hosts.only,r+w </div> </ol> <a id="3.8.1" href="#"></a> <a id="3.8.1.kiss" href="#"></a> <a id="kiss" href="#"></a> <h3 class="head"><span class="numb">3.8.1</span><span class="text">KISS</span></h3> <p> WASD authorization allows for very simple authorization environments and provides the scope for quite complex ones. The path authentication scheme allows for multiple, individually-maintained authentication and authorization databases that can then be administered by autonomous managers, applying to widely diverse paths, all under the ultimate control of the overall Web administrator. <p> <span class="high bold">Fortunately great complexity is not generally necessary.</span> <p> Most sites would be expected to require only an elementary setup allowing a few selected Web information managers the ability to write to selected paths. This can best be provided with the one authentication database containing read and write permissions against each user, with and access-restriction list against individual paths. <p> For example. Consider a site with three departments, each of which wishes to have three representatives capable of administering the departmental Web information. Authentication is via the SYSUAF. Web administrators hold an approriate VMS rights identifier, "WEBADMIN". Department groupings are provided by three simple lists of names, including the Web administrators (whose rights identifier would not be applied if access control is via a simple list), a fourth lists those with read-only access into the Finance area. The four grouping files would look like: <div class="blockof code"># Department 1 # Department 2 WEB1 WEB1 WEB2 WEB2 JOHN RINGO PAUL CURLY GEORGE LARRY # Department 3 # Finance (read access) WEB1 PAUL WEB2 GEORGE MOE JOHN SHEMP RINGO MAC </div> <p> The authorization configuration file then contains: <div class="blockof code">####################################################################### # allow web masters (!) to use the server administration facility # to revise web configuration files # world has no access (read or write) # access is only allowed from a browser in the same subnet as the HTTPd ["Hypo Thetical Corp."=HYPOTHETICAL=vms;WEBADMIN=id] /httpd/-/admin/* #150.15.30.*,r+w /wasd_root/local/* #150.15.30.*,r+w # allows Department 1 representatives to maintain their web # this may only be done from within the company subnet # world has read access ["Hypo Thetical Corp."=HYPOTHETICAL=vms;DEPARTMENT1=list] /web/dept/general/* 150.15.30.*,r+w ; r # and so on for the rest of the departments ["Hypo Thetical Corp."=HYPOTHETICAL=vms;DEPARTMENT2=list;FINANCE=list] # no world read access into finance, only those in the FINANCE list /web/dept/finance/* 150.15.30.*,r+w ["Hypo Thetical Corp."=HYPOTHETICAL=vms;DEPARTMENT3=list] /web/dept/inventory/* 150.15.30.*,r+w ; r /web/dept/production/* 150.15.30.*,r+w ; r # (the next uses line continuation just for illustration) /web/dept/marketing/* 150.15.30.*,\ r+w ;\ read # we need an area for general POSTing (just for illustration :-) [WORLD] /web/world/* r+w ####################################################################### </div> <a id="3.9" href="#"></a> <a id="3.9.authorizationcache" href="#"></a> <a id="authorizationcache" href="#"></a> <h2 class="head"><span class="numb">3.9</span><span class="text">Authorization Cache</span></h2> <p> Access to authentication sources, SYSUAF, simple lists and HTA databases, are relatively expensive operations. To reduce the impact of this activity on request latency and general server performance, authentication and realm-associated permissions for each authenticated username are stored in a cache. This means that only the initial request needs to be checked from appropriate databases, subsequent ones are resolved more quickly and efficiently from cache. <p> Such cached entries have a finite lifetime associated with them. This ensures that authorization information associated with that user is regularly refreshed. This period, in minutes, is set using the [AuthCacheMinutes] configuration parameter. Zero disables caching with a consequent impact on performance. <a id="3.9.0.0.1" href="#"></a> <a id="3.9.implication" href="#"></a> <a id="implication" href="#"></a> <h5 class="head"><span class="text">Implication</span></h5> <p> Where-ever a cache is employed there arises the problem of keeping the contents current. The simple lifetime on entries in the authentication cache means they will only be checked for currency whenever it expires. Changes may have occured to the databases in the meantime. <p> Generally there is are other considerations when adding user access. Previously the user attempt failed (and was evaluated each time), now the user is allowed access and the result is cached. <p> When removing or modifying access for a user the cached contents must be taken into account. The user will continue to experience the previous level of access until the cache lifetime expires on the entry. When making such changes it is recommended to explicitly purge the authentication cache either from the command line using /DO=AUTH=PURGE (<a class="link" href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a>) or via the Server Administration facility (<a class="link" href="#9.serveradministration">9. Server Administration</a>). Of course the other solution is just to disable caching, which is a less than optimal solution. <a id="3.10" href="#"></a> <a id="3.10.sysuafauthenticatedusers" href="#"></a> <a id="sysuafauthenticatedusers" href="#"></a> <h2 class="head"><span class="numb">3.10</span><span class="text">SYSUAF-Authenticated Users</span></h2> <p> The ability to authenticate using the system's SYSUAF is controlled by the server /SYSUAF[=keyword] qualifier. By default it is disabled. <div class="note center"> <a id="3.10.0.0.1" href="#"></a> <a id="3.10.warning" href="#"></a> <a id="warning" href="#"></a> <h5 class="head center"><span class="text">WARNING!</span></h5> <hr class="note_hr"> <span class="high bold">SYSUAF authentication is not recommended except in the most secure of LAN environments or when SSL is employed.</span> <br> HTTP credentials (username and password) are transmitted as encoded plain-text making them vulnerable to evesdropping. <hr class="note_hr"> </div> <p> By default accounts with SYSPRV authorized are always rejected to discourage the use of potentially significant usernames (e.g. SYSTEM). This behaviour can be changed through the use of specific identifiers, see <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> immediately below. Accounts that are disusered, have passwords that have expired or that are captive or restricted are always rejected. Accounts that have access day/time restricting access will have those restrictions honoured (see <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> for a workaround for this). <p> Also see <a class="link" href="#3.10.6.nilaccessvmsaccounts">3.10.6 Nil-Access VMS Accounts</a>. <a id="3.10.1" href="#"></a> <a id="3.10.1.acme" href="#"></a> <a id="acme" href="#"></a> <h3 class="head"><span class="numb">3.10.1</span><span class="text">ACME</span></h3> <p> By default the Authentication and Credential Management Extension (ACME) is used to authenticate SYSUAF requests on Alpha and Itanium running VMS V7.3 or later (<a class="link" href="#3.5.authenticationsources">3.5 Authentication Sources</a>). The advantage of ACME is with the processing of the (rather complex) authentication requirements by a vendor-supplied implementation. It also allows SYSUAF password change to be made subject to the full site policy (password history, dictionary checking, etc.) which WASD does not implement. <div class="note center"> <a id="3.10.1.0.1" href="#"></a> <a id="3.10.1.shouldacmebeunavailable" href="#"></a> <a id="shouldacmebeunavailable" href="#"></a> <h5 class="head center"><span class="text">Should ACME be unavailable</span></h5> <hr class="note_hr"> for whatever reason (x86-64 EAK for example) then define the logical name WASD_NO_ACME to force reversion to SYSUAF authentication. <hr class="note_hr"> </div> <a id="3.10.2" href="#"></a> <a id="3.10.2.logontype" href="#"></a> <a id="logontype" href="#"></a> <h3 class="head"><span class="numb">3.10.2</span><span class="text">Logon Type</span></h3> <p> By default SYSUAF authentication uses the NETWORK access restriction from the account SYSUAF record. Alternatives LOCAL, DIALUP and REMOTE may be specified using global configuration directive <div class="blockof code"># WASD_CONFIG_GLOBAL [AuthSYSUAFlogonType] REMOTE </div> and/or authorization rule parameter 'param="logon=REMOTE"' <div class="blockof code">["VMS Credentials"=WASD_VMS_RW=ID] /secured/* r+w,https,param="logon=REMOTE" </div> (which takes precedence). <a id="3.10.3" href="#"></a> <a id="3.10.3.rightsidentifiers" href="#"></a> <a id="rightsidentifiers" href="#"></a> <h3 class="head"><span class="numb">3.10.3</span><span class="text">Rights Identifiers</span></h3> <p> Whether or not any particular username is allowed to authenticate via the SYSUAF may be controlled by that account holding or not holding a particular VMS rights identifier. When a username has been authenticated via the SYSUAF, rights identifiers associated with that account may be used to control the level-of-access within that realm. <p> Use of identifiers for these purposes are enabled using the /SYSUAF=ID server startup qualifier. <p> The first three reserved identifier names are optional. A warning will be reported during startup if these are not found. The fourth must exist if SYSUAF proxy mappings are used in a /SYSUAF=ID environment. <ul class="list"> <li class="item"> <span class="high bold">WASD_HTTPS_ONLY – </span> restricts accounts holding it to authenticating using SSL (https:). Authentication via a standard "http:" will always be denied. <li class="item"> <span class="high bold">WASD_NIL_ACCESS – </span> allows accounts with access time restrictions to authenticate via the SYSUAF. This is particularly intended to support the use of nil-access accounts, see <a class="link" href="#3.10.6.nilaccessvmsaccounts">3.10.6 Nil-Access VMS Accounts</a>. <li class="item"> <span class="high bold">WASD_PASSWORD_CHANGE – </span> allows an account to modify its SYSUAF password, if this is configured for the server, see <a class="link" href="#3.15.userpasswordmodification">3.15 User Password Modification</a>. <li class="item"> <span class="high bold">WASD_PROXY_ACCESS – </span> allows an account to be used for proxy access if /SYSUAF=ID is in effect, see <a class="link" href="#3.10.5.vmsaccountproxying">3.10.5 VMS Account Proxying</a>. </ul> <p> Identifiers may be managed using the following commands. If unsure of the security implications of this action consult the relevant VMS system management security documentation. <div class="blockof code">$ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE UAF> ADD /IDENTIFIER WASD_HTTPS_ONLY UAF> ADD /IDENTIFIER PROJECT_USER UAF> ADD /IDENTIFIER PROJECT_DEVELOPER UAF> ADD /IDENTIFIER PROJECT_LIBRARIAN </div> <p> They can then be provided to desired accounts using commands similar to the following: <div class="blockof code">UAF> GRANT /IDENTIFIER PROJECT_USER <account> </div> and removed using: <div class="blockof code">UAF> REVOKE /IDENTIFIER PROJECT_USER <account> </div> <p> Be aware that, as with all successful authentications, and due to the WASD internal authentication cache, changing database contents does not immediately affect access. Any change in the RIGHTSLIST won't be reflected until the cache entry expires or it is explicitly flushed (). <a id="3.10.4" href="#"></a> <a id="3.10.4.wasdquothardwiredquotidentifiers" href="#"></a> <a id="wasdquothardwiredquotidentifiers" href="#"></a> <h3 class="head"><span class="numb">3.10.4</span><span class="text">WASD "Hard-Wired" Identifiers</span></h3> <div class="note center"> <a id="3.10.4.0.1" href="#"></a> <a id="3.10.4.deprecatedanddiscouraged" href="#"></a> <a id="deprecatedanddiscouraged" href="#"></a> <h5 class="head center"><span class="text">Deprecated and Discouraged</span></h5> <hr class="note_hr"> As this has been deprecated for some years now the documentation for this functionality has been removed. <hr class="note_hr"> </div> <a id="3.10.5" href="#"></a> <a id="3.10.5.vmsaccountproxying" href="#"></a> <a id="vmsaccountproxying" href="#"></a> <h3 class="head"><span class="numb">3.10.5</span><span class="text">VMS Account Proxying</span></h3> <p> Any authentication realm can have its usernames mapped into VMS usernames and the VMS username used as if it had been authenticated from the SYSUAF. This is a form of proxy access. <div class="note"> <a id="3.10.5.0.1" href="#"></a> <a id="3.10.5.caution" href="#"></a> <a id="caution" href="#"></a> <h5 class="head center"><span class="text">CAUTION</span></h5> <hr class="note_hr"> This is an extremely powerful mechanism and as a consequence requires enabling on the command-line at server startup using the /SYSUAF=PROXY qualifier and keyword. If identifiers are used to control SYSUAF authentication (i.e. /SYSUAF=ID) then any account mapped by proxy access must hold the WASD_PROXY_ACCESS identifier described in <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> (and server startup would be something like "/SYSUAF=(ID,PROXY)"). <hr class="note_hr"> </div> <p> When a proxy mapping occurs request user authorization detail reflects the SYSUAF username characteristics, not the actual original authentication source. This includes username, user details (i.e. becomes that derived from the <span class="high italic">owner</span> field in the SYSUAF), constraints on the username access (e.g. SSL only), and user capabilities including any profile if enabled. Authorization source detail remains unchanged, reflecting the realm, realm description and group of the original source. For CGI scripting an additional variable, WWW_AUTH_REMOTE_USER, provides the original remote username. <p> For each realm, and even for each path, a different collection of mappings can be applied. Proxy entries are strings containing no white space. There are three basic variations, each with an optional host or network mask component. <ul class="list simple list0"> <li class="item"> remote[@host|@network/mask]=SYSUAF <li class="item"> *[@host|@network/mask]=SYSUAF <li class="item"> *[@host|@network/mask]=* </ul> <p> The "SYSUAF" is the VMS username being mapped to. The <span class="high italic">remote</span> is the remote username (CGI variable WWW_REMOTE_USER). The first variation maps a matching remote username (and optional host/network) onto the specific SYSUAF username. The second maps all remote usernames (and optional host/network) to the one SYSUAF username (useful as a final mapping). The third maps all remote usernames (optionally on the remote host/network) into the same SYSUAF username (again useful as a final mapping if there is a one-to-one equivalence between the systems). <p> Proxy mappings are processed sequentially from first to last until a matching rule is encountered. If none is found authorization is denied. Match-all and default mappings can be specified. <div class="blockof code">[RFC1413] [AuthProxy] bloggs@131.185.250.1=fred [AuthProxy] doe@131.185.250.*=john system=- *@131.185.252.0/24=* [AuthProxy] *=GUEST </div> <p> In this example the username <span class="high italic">bloggs</span> on system 131.185.250.1 can access as if the request had been authenticated via the SYSUAF using the username and password of <span class="high italic">FRED</span>, although of course no SYSUAF username or password needs to be supplied. The same applies to the second mapping, <span class="high italic">doe</span> on the remote system to <span class="high italic">JOHN</span> on the VMS system. The third mapping disallows a <span class="high italic">system</span> account ever being mapped to the VMS equivalent. The fourth, wildcard mapping, maps all accounts on all systems in 131.185.250.0 8 bit subnet to the same VMS username on the server system. The fifth mapping provides a default username for all other remote usernames (and used like this would terminate further mapping). <p> Note that multiple, space-separated proxy entries may be placed on a single line. In this case they are processed from left to right and first to last. <div class="blockof code">["Just an Example"=EXAMPLE=list] [AuthProxy] bloggs@131.185.250.1=fred doe@131.185.250.1=doe system=- \ *@131.185.252.0/24=* *=GUEST </div> <p> Proxy mapping rules should be placed after a realm specification and before any authorization path rules in that realm. In this way the mappings will apply to all rules in that realm. It is possible to change the mappings between rules. Just insert the new mappings before the (first) rule they apply to. This cancels any previous mappings and starts a new set. This is an example. <div class="blockof code">["A Bunch of Users"=USERS=hta] [AuthProxy] bloggs@131.185.250.1=fred doe@131.185.250.1=john /fred/and/johns/path/* r+w [AuthProxy] *=GUEST /other/path/* read </div> <p> An alternative to in-line proxy mapping is to provide the mappings in one or more independent files. In-line and in-file mappings may be combined. <div class="blockof code">["Another Bunch of Users"=MORE_USERS=hta] [AuthProxy] SYSTEM=- [AuthProxyFile] WASD_ROOT:[LOCAL]PROXY.CONF /path/for/proxy* r+w </div> <p> To cancel all mappings for following rules use an [AuthProxy] (with no following mapping detail). Previous mappings are always cancelled with the start of a new realm specification. Where proxy mapping is not enabled at the command line or a proxy file cannot be loaded at startup a proxy entry is inserted preventing <span class="high bold">all access</span> to the path. <p> <span class="high bold">REMEMBER – </span> proxy processing can be observed using the WATCH facility. <a id="3.10.6" href="#"></a> <a id="3.10.6.nilaccessvmsaccounts" href="#"></a> <a id="nilaccessvmsaccounts" href="#"></a> <h3 class="head"><span class="numb">3.10.6</span><span class="text">Nil-Access VMS Accounts</span></h3> <p> It is possible, and may be quite effective for some environments, to have a SYSUAF account or accounts strictly for HTTP authorization, with no actual interactive or other access allowed to the VMS system itself. This would relax the caution on the use of SYSUAF authentication outside of SSL transactions. An obvious use would be for the HTTP server administrator. Additional accounts could be provided for other authorization requirements, all without compromising the system's security. <p> In setting up such an environment it is vital to ensure the HTTPd server is started using the /SYSUAF=ID qualifier (<a class="link" href="#3.2.authenticationpolicy">3.2 Authentication Policy</a>). This will require all SYSUAF-authenticated accounts to possess a specific VMS resource identifier, accounts that do not possess the identifier cannot be used for HTTP authentication. In addition the identifier WASD_NIL_ACCESS will need to be held (<a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a>), allowing the account to authenticate despite being restricted by REMOTE and NETWORK time restrictions. <p> To provide such an account select a group number that is currently unused for any other purpose. Create the desired account using whatever local utility is used then activate VMS AUTHORIZE and effectively disable access to that account from all sources and grant the appropriate access identifier (see <a class="link" href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> above). <div class="blockof code">$ SET DEFAULT SYS$SYSTEM $ MCR AUTHORIZE UAF> MODIFY <account> /NOINTERACTIVE /NONETWORK /NOBATCH /FLAG=DISMAIL UAF> GRANT /IDENTIFIER WASD_NIL_ACCESS <account> UAF> GRANT /IDENTIFIER WASD_VMS_RW <account> </div> <a id="3.10.7" href="#"></a> <a id="3.10.7.sysuafandssl" href="#"></a> <a id="sysuafandssl" href="#"></a> <h3 class="head"><span class="numb">3.10.7</span><span class="text">SYSUAF and SSL</span></h3> <p> When SSL is in use (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) the username/password authentication information is inherently secured via the encrypted communications of SSL. To enforce access to be via SSL add the following to the WASD_CONFIG_MAP configuration file: <div class="blockof code">/whatever/path/you/like/* "403 Access denied." ![sc:https] </div> or alternatively the following to the WASD_CONFIG_AUTH configuration file: <div class="blockof code">[REALM] /whatever/path/you/like/* https: </div> <p> Note that this mechanism is applied <span class="high bold">after</span> any path and method assessment made by the server's authentication schema. <p> The qualifier /SYSUAF=SSL provides a powerful mechanism for protecting SYSUAF authentication, restricting SYSUAF authenticated transactions to the SSL environment. The combination /SYSUAF=(SSL,ID) is particularly effective. <p> Also see <a class="link" href="#3.2.authenticationpolicy">3.2 Authentication Policy</a>. <a id="3.10.8" href="#"></a> <a id="3.10.8.sysuafsecurityprofile" href="#"></a> <a id="sysuafsecurityprofile" href="#"></a> <h3 class="head"><span class="numb">3.10.8</span><span class="text">SYSUAF Security Profile</span></h3> <p> It is possible to control access to files and directories based on the VMS security profile of a SYSUAF-authenticated remote user. This functionality is implemented using VMS security system services involving SYSUAF and RIGHTSLIST information. The feature must be explicitly allowed using the server /PROFILE qualifier. By default it is disabled. <div class="note"><a id="3.10.8.0.0.1" href="#"></a> <a id="3.10.8.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Use caution when deploying the /PROFILE qualifier. It was really designed with a very specific environment in mind, that of an Intranet where the sole purpose was to provide VMS users access to their normal VMS resources via a Web interface. <hr class="note_hr"> </div> <p> When a SYSUAF-authenticated user (i.e. the VMS realm) is first authenticated a VMS security-profile is created and stored in the authentication cache (<a class="link" href="#3.9.authorizationcache">3.9 Authorization Cache</a>). A cached profile is an efficient method of implementing this as it obviously removes the need of creating a user profile each time a resource is assessed. If this profile exists in the cache it is attached to each request authenticated for that user. As it is cached for a period, any change to a user's security profile in the SYSUAF or RIGHTSLIST won't be reflected in the cached profile until the cache entry expires or it is explicitly flushed (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>). <p> When a request has this security profile all accesses to files and directories are assessed against it. When a file or directory access is requested the security-profile is employed by a VMS security system service to assess the access. If allowed, it is provided via the SYSTEM file protection field. Hence it is possible to be eligible for access via the OWNER field but not actually be able to access it because of SYSTEM field protections! If not allowed, a "no privilege" error is generated. <p> Once enabled using /PROFILE it can be applied to all SYSUAF authenticated paths, but must be enabled on a per-path basis, using the WASD_CONFIG_AUTH <span class="high italic">profile</span> keyword (<a class="link" href="#3.4.accessrestrictionkeywords">‘Access Restriction Keywords’ in 3.4 Authorization Configuration File</a>) <div class="blockof code"># WASD_CONFIG_AUTH [VMS;VMS] /wasd_root/local/* profile,https:,r+w </div> or the WASD_CONFIG_MAP SET <span class="high italic">profile</span> and <span class="high italic">noprofile</span> mapping rules (see <a class="link blank" target="_blank" href="../config/#setrule">SET Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <div class="blockof code"># WASD_CONFIG_MAP set /wasd_root/local/* profile set * noprofile </div> <p> Of course, this functionality only provides access for the server, IT DOES NOT PROPAGATE TO ANY SCRIPT ACCESS. If scripts must have a similar ability they should implement their own scheme (which is not too difficult, see <a class="link blank" target="_blank" href="/wasd_root/src/misc/chkacc.c">WASD_ROOT:[SRC.MISC]CHKACC.C</a>) based on the CGI variable WWW_AUTH_REALM which would be "VMS" indicating SYSUAF-authentication, and the authenticated name in WWW_REMOTE_USER. <a id="3.10.8.0.1" href="#"></a> <a id="3.10.8.performanceimpact" href="#"></a> <a id="performanceimpact" href="#"></a> <h5 class="head"><span class="text">Performance Impact</span></h5> <p> If the /PROFILE qualifier has enabled SYSUAF-authenticated security profiles, whenever a file or directory is assessed for access an explicit VMS security system service call is made. This call builds a security profile of the object being assessed, compares the cached user security profile and returns an indication whether access is permitted or forbidden. This is addition to any such assessments made by the file system as it is accessed. <p> This extra security assessment is not done for non-SYSUAF-authenticated accesses within the same server. <p> For file access this extra overhead is negligible but becomes more significant with directory listings ("Index of") where each file in the directory is independently assessed for access. <a id="3.10.9" href="#"></a> <a id="3.10.9.sysuafprofileforfullsiteaccess" href="#"></a> <a id="sysuafprofileforfullsiteaccess" href="#"></a> <h3 class="head"><span class="numb">3.10.9</span><span class="text">SYSUAF Profile For Full Site Access</span></h3> <p> Much of a site's package directory tree is inaccessible to the server account. One use of the SYSUAF profile functionality is to allow authenticated accesss to all files in that tree. This can accomplished by creating a specific mapping for this purpose, subjecting that to SYSUAF authentication with /PROFILE behaviour enabled (<a class="link" href="#3.10.8.sysuafsecurityprofile">3.10.8 SYSUAF Security Profile</a>), and limiting the access to a SYSTEM group account. As all files in the WASD package are owned by SYSTEM the security profile used allows access to all files. <p> The following example shows a path with a leading dollar (to differentiate it from general access) being mapped into the package tree. The "set * noprofile" limits the application of this to the /$WASD_ROOT/ path (with the inline "profile"). <div class="blockof code"># WASD_CONFIG_MAP set * noprofile . . . pass /wasd_root/* /wasd_root/* pass /$WASD_ROOT/* /wasd_root/* profile </div> <p> This path is then subjected to SYSUAF authentication with access limited to an SSL request from a specific IP address (the site administrator's) and the SYSTEM account. <div class="blockof code"># WASD_CONFIG_AUTH [["/$WASD_ROOT/ Access"=WASD_TREE_ACCESS=id]] /$WASD_ROOT/* https,10.1.1.2,~system,read </div> <a id="3.11" href="#"></a> <a id="3.11.tokenauthentication" href="#"></a> <a id="tokenauthentication" href="#"></a> <h2 class="head"><span class="numb">3.11</span><span class="text">Token Authentication</span></h2> <p> This is a niche authorisation environment for addressing niche requirements. <p> A <span class="high italic">token</span> is an HTTP cookie delivered representation of authentication established in another context. Originally devised to allow controlled access to very large datasets without the overhead of SSL in the transmission but with access credentials supplied in the privacy of an SSL connection. <p> A common scenario is where the client starts off attempting to access a resource in non-SSL space which is controlled by token authentication. In the first instance the authenticator detects there is no access token present and redirects the client (browser) to the SSL equivalent of that space, where credentials can be supplied encrypted. In this example scenario the SSL area is controlled by WASD SYSUAF authentication (can be SSL client certificate, etc.) and the username/password is prompted for. When correctly entered this generates a token. The token is stored (with corresponding detail) as a record in a server-internal database and then returned to the browser as a set-cookie value. <p> With the token data stored the browser is transparently redirected back to the non-SSL space where the actual access is to be undertaken, this time the browser presenting the cookie containing the token. The authenticator examines the token, looking it up in the database. If found, has originated from the same IP address, represents the same authentication realm, and has not expired, it then allows the non-SSL space access to proceed, and in this example scenario the dataset transfer is initiated (in unencrypted clear-text). If the token is not found in the database or has expired, then the process is repeated with a redirect back into SSL space. If the realms differ a 403 forbidden response is issued (see configuration below). <p> The token itself is a significant sequence of pseudo-random characters, is short-lived (configurable as anything from a few seconds to a few tens of seconds, or more), and as a consequence is frequently regenerated. The token is just that, containing no actual credential data at all. It might be possible to snoop but as it contains nothing of value in itself, expires relatively quickly, and has an originating IP address check, the fairly remote risk of playback is just that. <p> The authenticator does all the work, implicitly redirecting the user from non-SSL space to SSL space for the original authentication, and then back again with the token used for access in the non-SSL space. With the expiry of a token it undertakes that cycle again, redirecting back to the SSL-space where the browser-cached credentials will be supplied automatically allowing the fresh token to be issued, and then redirected back into non-SSL space for access. To emphasise - all this is transparent to the user. <p> As a consequence of this model the resource being controlled can ONLY be accessed from non-SSL space using the controlled path. To access the same resource from SSL space a distinct path to the resource must be provided. <a id="3.11.0.0.1" href="#"></a> <a id="3.11.configuration" href="#"></a> <a id="configuration" href="#"></a> <h5 class="head"><span class="text">Configuration</span></h5> <p> As token authorisation relies on the client agent having HTTP cookies enabled (globally or specifically for the site) it is useful to have this tested for and/or advised about, on some related but other area of the site. There are simple techniques using JavaScript for detecting the availability of cookie processing. Search the Web for a suitable solution. <p> The automatic authorisation and redirection occurs using a combination of two distinguishable authorisation rules, one for supplying the credentials, the other for using the token for authorisation. In this example (and commonly) the resources are at "/location/" and the configuration accepts user-supplied credentials in SSL space and uses the token in non-SSL space. The asterisk just indicates that in the absence of any other parameter this authorisation rule has a complementary token rule where access will actually occur. <div class="blockof code"># WASD_CONFIG_AUTH if (ssl:) ["VMS credentials"=WASD_VMS_RW=id+"TOKEN=*"] /location/* r+w else [WASD_VMS_RW=TOKEN] /location/* r+w endif </div> <p> And in this example, the same arrangement but with non-standard ports (specified using an integer with a leading colon). <div class="blockof code"># WASD_CONFIG_AUTH if (ssl:) ["VMS credentials"=WASD_VMS_RW=id+"TOKEN=:7080"] /location/* r+w else [WASD_VMS_RW=TOKEN+"TOKEN=:7443"] /location/* r+w endif </div> <p> To prevent potential thrashing, where multiple, distinct realms within a <span class="high italic">single</span> request are authorised using tokens, corresponding multiple token (cookie) names must be used. It is expected that this would be an uncommon but not impossible scenario. The "thrashing" would be a result of authorisation associated with a single, particular token name. Where a realm differs from a previous token generated another is required. The token authorisation scheme forces the use of distinct token names by 403-forbidding change of realm using the one token. Use explicitly specified, independent token (cookie) names, or an integer preceded by an ampersand (which appends the integer to the base token name), ensuring the complementary rules are using the same name/integer. <div class="blockof code"># WASD_CONFIG_AUTH if (ssl:) ["VMS credentials"=WASD_VMS_RW=id+"TOKEN=&42"] /location/* r+w else [WASD_VMS_RW=TOKEN+"TOKEN=&42"] /location/* r+w endif </div> <p> For the final example, the token is contained in the non-default cookie named "Wasd_example" and the authentication performed using an X509 client certificate (which can only be supplied via SSL). <div class="blockof code"># WASD_CONFIG_AUTH if (ssl:) [X509+"TOKEN=WaSd_example"] /location/* r+w else [X509=TOKEN+"TOKEN=WaSd_example"] /location/* r+w endif </div> <p> Some additional detail is available from the AUTHTOKEN.C code module. <a id="3.12" href="#"></a> <a id="3.12.skeletonkeyauthentication" href="#"></a> <a id="skeletonkeyauthentication" href="#"></a> <h2 class="head"><span class="numb">3.12</span><span class="text">Skeleton-Key Authentication</span></h2> <p> Provides a username and password that is authenticated from data placed into the global common (i.e. in memory) by the site administrator. The username and password expire (become non-effective) after a period, one hour by default or an interval specified when the username and password are registered. <p> It is a method for allowing ad hoc authenticated access to the server, primarily intended for non-configured access to the online Server Administration facilities (<a class="link" href="#9.1.accessbeforeconfiguration">9.1 Access Before Configuration</a>) but is available for other purposes where a permanent username and password in an authentication database is not necessary. A skeleton-key authenticated request <span class="high bold">is subject to all other authorization processing</span> (i.e. access restrictions, etc.), and can be controlled using the likes of '~_*', etc. <p> The site administrator uses the command line directive <div class="blockof code">$ HTTPD /DO=AUTH=SKELKEY=<span class="high italic under">username:password[:period]</span> </div> to set the username/password, and optionally the period in minutes. This authentication credential can be cancelled at any time using <div class="blockof code">$ HTTPD /DO=AUTH=SKELKEY=0 </div> <p> The username must begin with an underscore (to reduce the chances of clashing with a legitimate username) and have a minimum of 6 other characters. The password is delimited by a colon and must be at least 8 characters. The optional period in minutes can be from 1 to 10080 (one week). If not supplied it defaults to 60 (one hour). After the period expires the skeleton key is no longer accepted until reset. <div class="note center"><a id="3.12.0.0.0.1" href="#"></a> <a id="3.12.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Choose username and password strings that are less-than-obvious and a period that's sufficient to the task! <br> After all, it's <span class="high bold">your site</span> that you might compromise! <hr class="note_hr"> </div> <p> The authentication process (with skeleton-key) is performed using these basic steps. <ol class="list"> <li class="item"> Is a skeleton-key set? If not continue on with the normal authentication process. <li class="item"> If set then check the request username leading character for an underscore. If not then continue on with normal authentication. <li class="item"> If it begins with an underscore then match the request and skeleton-key usernames. If they do not match then continue with normal authentication. <li class="item"> If the usernames match then compare the request and skeleton-key passwords. If matched then it's authenticated. If not it becomes an authentication failure. </ol> <p> Note that the authenticator resumes looking for a username from a configured authentication source unless the request and skeleton-key usernames match. After that the passwords either match allowing access or do not match resulting in an authentication failure. <a id="3.12.0.0.1" href="#"></a> <a id="3.12.examples" href="#"></a> <a id="examples" href="#"></a> <h5 class="head"><span class="text">Examples</span></h5> <div class="blockof code">$ HTTPD /DO=AUTH=SKELKEY=_FRED2ACC:USE82PA55 $ HTTPD /DO=AUTH=SKELKEY=_ANDY2WERP:EGGO4TEE:10 </div> <a id="3.13" href="#"></a> <a id="3.13.controllingserverwriteaccess" href="#"></a> <a id="controllingserverwriteaccess" href="#"></a> <h2 class="head"><span class="numb">3.13</span><span class="text">Controlling Server Write Access</span></h2> <p> The server account should have no direct write access to into any directory structure. Files in these areas should be owned by SYSTEM ([1,4]). Write access for the server into VMS directories (using the POST or PUT HTTP methods) should be controlled using VMS ACLs. <span class="high bold">This is in addition to the path authorization of the server itself of course!</span> The recommendation to have no ownership of files and provide an ACE on required directories prevents inadvertant mapping/authorization of a path resulting in the ability to write somewhere not intended. <p> Two different ACEs implement two grades of access. <ol class="list"> <li class="item"> If the ACE grants <span class="high bold">CONTROL</span> access to the server account then only VMS-authenticated usernames with security profiles can potentially write to the directory. Only potentially, because a further check is made to assess whether that VMS account in particular has write access. <p> This example shows a suitable ACE that applies only to the original directory: <div class="blockof code">$ SET SECURITY directory.DIR - /ACL=(IDENT=HTTP$SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL) </div> This example shows setting an ACE that will propagate to created files and importantly, subdirectories: <div class="blockof code">$ SET SECURITY directory.DIR - /ACL=((IDENT=HTTP$SERVER,OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL), - (IDENT=HTTP$SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE+CONTROL)) </div> <li class="item"> If the ACE grants <span class="high bold">WRITE</span> access then the directory can be written into by any authenticated username for the authorized path. <p> This example shows a suitable ACE that applies only to the original directory: <div class="blockof code">$ SET SECURITY directory.DIR - /ACL=(IDENT=HTTP$SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE) </div> This example shows setting an ACE that will propagate to created files and importantly, subdirectories: <div class="blockof code">$ SET SECURITY directory.DIR - /ACL=((IDENT=HTTP$SERVER,OPTIONS=DEFAULT,ACCESS=READ+WRITE+EXECUTE+DELETE), - (IDENT=HTTP$SERVER,ACCESS=READ+WRITE+EXECUTE+DELETE)) </div> </ol> <p> To assist with the setting of the required ACEs an example, general-purpose DCL procedure is provided, <a class="link blank" target="_blank" href="/wasd_root/example/authace.com">WASD_ROOT:[EXAMPLE]AUTHACE.COM</a>). <a id="3.14" href="#"></a> <a id="3.14.securingallrequests" href="#"></a> <a id="securingallrequests" href="#"></a> <h2 class="head"><span class="numb">3.14</span><span class="text">Securing All Requests</span></h2> <p> Some sites may be sensitive enough about Web resources that the possibility of providing inadvertant access to some area or another is of major concern. WASD provides a facility that will automatically deny access to any path that does not appear in the authorization configuration file. This does mean that all paths requiring access must have authorization rules associated with them, but if something is missed some resource does not unexpectedly become visible. <p> At server startup the /AUTHORIZE=ALL qualifier enables this facility. <p> For paths that require authentication and authorization the standard realms and rules apply. To indicate that a particular path should be allowed access, but that no authorization applies the "NONE" realm may be used. The following example provides some indication of how it should be used. <div class="blockof code"># allow the librarian to update this area, world to read it [VMS;LIBRARIAN=id] /web/library/* r+w ; read # indicate there is no authorization to be applied [NONE] # allow access to general web areas /web/* read # allow access to the WASD_ROOT tree /wasd_root/* read </div> <p> There is also a per-path equivalent of the /AUTHORIZE=ALL functionality, described in <a class="link blank" target="_blank" href="../config/#setrule">SET Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). This allows a path tree to be require authorization be enabled against it. <div class="blockof code"># avoid an absence of authorization allowing unintentional access set /web/sensitive/* auth=all </div> <a id="3.15" href="#"></a> <a id="3.15.userpasswordmodification" href="#"></a> <a id="userpasswordmodification" href="#"></a> <h2 class="head"><span class="numb">3.15</span><span class="text">User Password Modification</span></h2> <p> The server provides for users to be able to change their own HTA passwords (and SYSUAF if required). This functionality, though desirable from the administrator's viewpoint, is not mandatory if the administrator is content to field any password changes, forgotten passwords, etc. Keep in mind that passwords, though not visible during entry, are passed to the server using clear-text form fields (which is why SSL is recommended). <p> Password modification is enabled by including a mapping rule to the internal change script. For example: <div class="blockof code">pass /httpd/-/change/* /httpd/-/change/* </div> <p> Any database to be enabled for password modification must have a writable authorization path associated with it. For example: <div class="blockof code">[GROUP=id;GROUP=id] /httpd/-/change/group/* r+w [ANOTHER_GROUP=id;ANOTHER_GROUP=id] /httpd/-/change/another_group/* r+w </div> <div class="note"><a id="3.15.0.0.0.1" href="#"></a> <a id="3.15.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> What looks like redundancy in specifying an identical realm and group authorization is what allows multiple, independant identifiers to be individually controlled for password change (i.e. one group of identifier holders allowed to change the password, another not). <hr class="note_hr"> </div> <p> Use some form of cautionary wrapper if providing this functionality over something other than an Intranet or SSL connection: <div class="blockof code"><H2>Change Your Authentication</H2> <blockquote> Change the password used to identify yourself to the REALM Web environment for some actions. Note that this <u>not</u> an operating system password, nor has it anything to do with it. Due to the inherent weaknesses of using non-encrypted password transmissions on networks <font color="#ff0000"><u>DO NOT</U> use a password you have in use anywhere else, especially an operating system password!</font> You need your current password to make the change. If you have forgotten what it is contact <a href="/web/webadmin.html">WebAdmin</a>, preferably via e-mail, for the change to be made on your behalf. </blockquote> <ul> <li><a href="/httpd/-/change/REALM/">REALM</a> realm. </ul> </div> <a id="3.15.0.0.1" href="#"></a> <a id="3.15.passwordexpiry" href="#"></a> <a id="passwordexpiry" href="#"></a> <h5 class="head"><span class="text">Password Expiry</span></h5> <p> When using SYSUAF authentication it is possible for a password to pre-expired, or when a password lifetime is set for a password to expire and require respecification. By default an expired password cannot be used for access. This may be overridden using the following global configuration directive. <div class="blockof code">[AuthSYSUAFacceptExpPwd] enabled </div> <p> Expired passwords may be specially processed by specifying a URL with WASD_CONFIG_GLOBAL [AuthSysUafPwdExpURL] configuration directive <a class="link blank" target="_blank" href="../config/#alphabeticlistings">Alphabetic Listings</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <p> The WASD_CONFIG_MAP <span class="high italic">set auth=sysuaf=pwdexpurl=<string></span> rule allows the same URL to be specified on a per-path basis. When this is set a request requiring SYSUAF authentication that specifies a username with an expired password is redirected to the specified URL. This should directly or via an explanatory (wrapper) page redirect to the password change path described above. The password change dialog will have a small note indicating the password has expired and allows it to be changed. <p> The following WASD_CONFIG_GLOBAL directive <div class="blockof code"># WASD_CONFIG_GLOBAL [AuthSysUafPwdExpURL] https:///httpd/-/change/ # WASD_CONFIG_AUTH [WASD_VMS_ID=id;WASD_VMS_RW=id] /httpd/-/change/* r+w </div> would allow expired passwords to be changed. <p> It is also possible to redirect an expired password to a site-specific page for input and change. This allows some customization of the language and content of the expired password change dialog. An example document is provided at <a class="link blank" target="_blank" href="/wasd_root/example/expired.shtml?httpd=content&type=text/plain">WASD_ROOT:[EXAMPLE]EXPIRED.SHTML</a> (<a class="link blank" target="_blank" href="/wasd_root/example/expired.shtml">what it looks like</a>) ready for relocation and customisation. Due to the complexities of passing realm information and then submitting that information to the server-internal change facility some dynamic processing is required via an SSI document. <p> This example assumes the site-specific document has been located at WEB:[000000]EXPIRED.SHTML and is accessed using SSL. <div class="blockof code"># WASD_CONFIG_GLOBAL [AuthSysUafPwdExpURL] https:///web/expired.shtml?httpd=ignore&realm=vms # WASD_CONFIG_AUTH [WASD_VMS_ID=id;WASD_VMS_RW=id] /httpd/-/change/vms/* r+w /web/expired.shtml r+w </div> <a id="3.16" href="#"></a> <a id="3.16.cancellingauthorization" href="#"></a> <a id="cancellingauthorization" href="#"></a> <h2 class="head"><span class="numb">3.16</span><span class="text">Cancelling Authorization</span></h2> <p> The reason authorization information is not required to be reentered on subsequent accesses to controlled paths is cached information the browser maintains. It is sometimes desirable to be able to access the same path using different authentication credentials, and correspondingly it would be useful if a browser had a <span class="high italic">purge authorization cache</span> button, but this is commonly not the case. To provide this functionality the server must be used to "trick" the browser into cancelling the authorization information for a particular path. <p> This is achieved by adding a specific query string to the path requiring cancellation. The server detects this and returns an authorization failure status (401) regardless of the contents of request "Authorization:" field. This results in the browser flushing that path from the authorization cache, effectively requiring new authorization information the next time that path is accessed. <p> There are two variations on this mechanism. <ol class="list"> <li class="item"> The basic procedure is as follows: <ul class="list"> <li class="item"> Add the query string "?httpd=logout" to the path in question (if there is an existing query then replace it), as in the following example. <div class="blockof code">/the/current/path?httpd=logout </div> <li class="item"> The browser will respond with an authorization failure, and prompting to retry or reenter the username and password. <li class="item"> It is necessary to clear at least the password (i.e. remove any password from the appropriate field) and reenter. <li class="item"> The browser again responds with an authorization failure. <li class="item"> At this stage the authorization dialog can be cancelled, resulting in a server authorization failure message. <li class="item"> The original path can now be returned to and reaccessed. The browser should again prompt for authorization information at which point different credentials may be supplied. </ul> <li class="item"> A little more functional, if using a revalidation period via [AuthRevalidateUserMinutes] or 'SET auth=revalidate=' (perhaps set to something like 23:59:00, or one day), when the logout query string is supplied the server resets the entry forcing any future access to require revalidation. A successful logout message is then generated, circumventing the need for the username/password dialog described above. <ul class="list"> <li class="item"> Add or replace the query string "?httpd=logout" to the path in question as in the following example. <div class="blockof code">/the/current/path?httpd=logout </div> <li class="item"> The browser will respond with a message stating that authentication has been cancelled. That's it! </ul> <p> Also when using logout with a revalidation period a redirection URL may be appended to the logout query string. It then redirects to the supplied URL. It is important that the redirection is returned to the browser and not handled internally by WASD. Normal WASD redirection functionality applies. <div class="blockof code">?httpd=logout&goto=/// ?httpd=logout&goto=///help/logout.html ?httpd=logout&goto=http://the.host.name/ </div> <p> These examples redirect to <ul class="list simple list0"> <li class="item"> the local home page <li class="item"> a specific local page <li class="item"> a specific remote server </ul> respectively. <div class="note"> <a id="3.16.0.0.1" href="#"></a> <a id="3.16.authenticationcache" href="#"></a> <a id="authenticationcache" href="#"></a> <h5 class="head center"><span class="text">Authentication Cache</span></h5> <hr class="note_hr"> User revalidation relies on an entry being maintained in the authentication cache. Each time the entry is flushed, for whatever reason (cache congestion, command-line purge, server restart, etc.), the user will be prompted for credentials. It may be necessary to increase the size of the cache by adjusting [AuthCacheEntriesMax]. <hr class="note_hr"> </div> </ol> <!-- source:0400_TLS.WASDOC --> <hr class="page"> <a id="4." href="#"></a> <a id="4.transportlayersecurity" href="#"></a> <a id="transportlayersecurity" href="#"></a> <h1 class="head"><span class="numb">4.</span><span class="text">Transport Layer Security</span></h1> <div class="TOC2cols2" style="width:80%;max-width:80%;"> <table class="TOC2table"> <tr><td><a href="#4.1.letsencrypt"><span class="numb">4.1</span><span class="text">Let's Encrypt</span></a> <tr><td><a href="#4.2.tlssslfunctionalitysources"><span class="numb">4.2</span><span class="text">TLS/SSL Functionality Sources</span></a> <tr><td><a href="#4.3.wasdsslquickstart"><span class="numb">4.3</span><span class="text">WASD SSL Quick-Start</span></a> <tr><td><a href="#4.4.opensslexeapplication"><span class="numb">4.4</span><span class="text">OPENSSL.EXE Application</span></a> <tr><td><a href="#4.5.sslconfiguration"><span class="numb">4.5</span><span class="text">SSL Configuration</span></a> <tr><td><a href="#4.5.1.wasdconfigservice"><span class="numb">4.5.1</span><span class="text">WASD_CONFIG_SERVICE</span></a> <tr><td><a href="#4.5.2.tlssslversions"><span class="numb">4.5.2</span><span class="text">TLS/SSL Versions</span></a> <tr><td><a href="#4.5.3.sslciphers"><span class="numb">4.5.3</span><span class="text">SSL Ciphers</span></a> <tr><td><a href="#4.5.4.openssloptions"><span class="numb">4.5.4</span><span class="text">(Open)SSL Options</span></a> <tr><td><a href="#4.5.5.forwardsecrecy"><span class="numb">4.5.5</span><span class="text">Forward Secrecy</span></a> <tr><td><a href="#4.5.6.sessionresumption"><span class="numb">4.5.6</span><span class="text">Session Resumption</span></a> <tr><td><a href="#4.5.7.stricttransportsecurity"><span class="numb">4.5.7</span><span class="text">Strict Transport Security</span></a> <tr><td><a href="#4.5.8.sslservercertificate"><span class="numb">4.5.8</span><span class="text">SSL Server Certificate</span></a> <tr><td><a href="#4.5.9.sslprivatekey"><span class="numb">4.5.9</span><span class="text">SSL Private Key</span></a> <tr><td><a href="#4.5.10.sslvirtualservices"><span class="numb">4.5.10</span><span class="text">SSL Virtual Services</span></a> <tr><td><a href="#4.5.11.sslaccesscontrol"><span class="numb">4.5.11</span><span class="text">SSL Access Control</span></a> <tr><td><a href="#4.5.12.authorizationusingx509certification"><span class="numb">4.5.12</span><span class="text">Authorization Using X.509 Certification</span></a> <tr><td><a href="#4.5.13.x509certificaterenegotiation"><span class="numb">4.5.13</span><span class="text">X.509 Certificate Renegotiation</span></a> <tr><td><a href="#4.5.14.features"><span class="numb">4.5.14</span><span class="text">Features</span></a> <tr><td><a href="#4.5.15.subjectalternativenameandotherextensions"><span class="numb">4.5.15</span><span class="text">Subject Alternative Name and Other Extensions</span></a> <tr><td><a href="#4.5.16.x509configuration"><span class="numb">4.5.16</span><span class="text">X509 Configuration</span></a> <tr><td><a href="#4.5.17.certificateauthorityverificationfile"><span class="numb">4.5.17</span><span class="text">Certificate Authority Verification File</span></a> <tr><td><a href="#4.5.18.x509authorizationcgivariables"><span class="numb">4.5.18</span><span class="text">X.509 Authorization CGI Variables</span></a> <tr><td><a href="#4.6.certificatemanagement"><span class="numb">4.6</span><span class="text">Certificate Management</span></a> <tr><td><a href="#4.6.1.servercertificate"><span class="numb">4.6.1</span><span class="text">Server Certificate</span></a> <tr><td><a href="#4.6.2.certificatesigningrequest"><span class="numb">4.6.2</span><span class="text">Certificate Signing Request</span></a> <tr><td><a href="#4.7.sslcgivariables"><span class="numb">4.7</span><span class="text">SSL CGI Variables</span></a> <tr><td><a href="#4.8.sslserviceevaluation"><span class="numb">4.8</span><span class="text">SSL Service Evaluation</span></a> <tr><td><a href="#4.9.sslreferences"><span class="numb">4.9</span><span class="text">SSL References</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#3.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#5.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> <span class="high bold">Transport Layer Security</span> (TLS), and its predecessor <span class="high bold">Secure Sockets Layer</span> (SSL), are cryptographic protocols designed to provide communication privacy over a network, in the case of HTTP between the browser (client) and the server. It also authenticates server and optionally client identity. TLS/SSL operates by establishing an encrypted communication path between the two applications, "wrapping" the entire application protocol inside the secure link, providing complete privacy for the entire transaction. In this way security-related data such as user identification and password, as well as sensitive transaction information can be protected from unauthorized access while in transit. This section is not a tutorial on TLS/SSL. It contains only information relating to WASD's use of it. See <a class="link" href="#4.9.sslreferences">4.9 SSL References</a> for further information on TLS/SSL technology. <div class="note"> <a id="4.0.0.0.1" href="#"></a> <a id="4.tlsandssl" href="#"></a> <a id="tlsandssl" href="#"></a> <h5 class="head center"><span class="text">TLS and SSL</span></h5> <hr class="note_hr"> The terms are used interchangably in this document to represent cryptographic communication technology. They are similar but with important differences. TLS is the more modern and considered the more secure. The term SSL is still in common usage though and retained here even if WASD (and OpenSSL) now only implements TLS. When OpenSSL(.org) considers changing its name WASD will toss out the term SSL <span class="high _smiley"> </span> <hr class="note_hr"> </div> <p> <table class="tabl"> <tr class="tabr"> <td class="tabd"><img class="image" style="width:208px;" src="./OpenSSL_logo.png"> <td class="tabd valmid">WASD implements SSL using a freely available software toolkit supported by the <span class="high bold">OpenSSL Project</span>. </table> <p> OpenSSL licensing allows unrestricted commercial and non-commercial use. This toolkit is in use regardless of whether the WASD OpenSSL package, HP SSL for OpenVMS product, or other stand-alone OpenSSL environment is installed. It is always preferable to move to the latest support release of OpenSSL as known bugs in previous versions are progressively addressed (ignoring the issue of new bugs being introduced ;-) <div class="note"> <a id="4.0.0.0.2" href="#"></a> <a id="4.tlsfunctionalityisnotsuppliedwiththebasicwasdpackage" href="#"></a> <a id="tlsfunctionalityisnotsuppliedwiththebasicwasdpackage" href="#"></a> <h5 class="head center"><span class="text">TLS functionality is not supplied with the basic WASD package</span></h5> <hr class="note_hr"> In part this is due to the relative bulk of this component, in further part that the updates to each are not necessarily coincident, and also considers potential patent issues and export restrictions on some cryptography technology in some jurisdictions. <hr class="note_hr"> </div> <a id="4.0.0.0.3" href="#"></a> <a id="4.cryptographysoftware" href="#"></a> <a id="cryptographysoftware" href="#"></a> <h5 class="head"><span class="text">Cryptography Software</span></h5> <p> Be aware that export/import and/or use of cryptography software, or even just providing cryptography hooks, is illegal in some parts of the world. When you re-distribute this package or even email patches/suggestions to the author or other people, please <span class="high bold">PAY CLOSE ATTENTION TO ANY APPLICABLE EXPORT/IMPORT LAWS</span>. The author of this package is not liable for any violations you make here. <a id="4.0.0.0.4" href="#"></a> <a id="4.somethoughtsfromrsengelschall" href="#"></a> <a id="somethoughtsfromrsengelschall" href="#"></a> <h5 class="head"><span class="text">Some Thoughts From R. S. Engelschall</span></h5> <p> Ralf S. Engelschall (rse@engelschall.com) is the author of the popular Apache <span class="high italic">mod_ssl</span> package. This section is taken from the <span class="high italic">mod_ssl</span> read-me and is well-worth some consideration for this and software security issues in general. <div class="blockof quote">You should be very sensible when using cryptography software, because just running an SSL server <span class="high under">DOES NOT</span> mean your system is then secure! This is for a number of reasons. The following questions illustrate some of the problems. <ul class="list list0"> <li class="item"> SSL itself may not be secure. People think it is, do you? <li class="item"> Does this code implement SSL correctly? <li class="item"> Have the authors of the various components put in back doors? <li class="item"> Does the code take appropriate measures to keep private keys private? To what extent is your cooperation in this process required? <li class="item"> Is your system physically secure? <li class="item"> Is your system appropriately secured from intrusion over the network? <li class="item"> Whom do you trust? Do you understand the trust relationship involved in SSL certificates? Do your system administrators? <li class="item"> Are your keys, and keys you trust, generated careful[ly] enough to avoid reverse engineering of the private keys? <li class="item"> How do you obtain certificates, keys, and the like, securely? <li class="item"> Can you trust your users to safeguard their private keys? <li class="item"> Can you trust your browser to safeguard its generated private key? </ul> If you can't answer these questions to your personal satisfaction, then you usually have a problem. Even if you can, you may still <span class="high under">NOT</span> be secure. Don't blame the authors if it all goes horribly wrong. Use it at your own risk! </div> <a id="4.1" href="#"></a> <a id="4.1.letsencrypt" href="#"></a> <a id="letsencrypt" href="#"></a> <h2 class="head"><span class="numb">4.1</span><span class="text">Let's Encrypt</span></h2> <p> Have (or want) a TLS/SSL secured site? <p> Using self-signed or commercial server certificate(s)? <p> <span class="high bold">Let's Encrypt</span> makes it possible to obtain and maintain browser-trusted certificates, simply, automatically and <span class="high bold">at no cost</span>. <p> See <span class="high under">WASD Certificate Management Environment</span> (wuCME) on the WASD download page at <a class="link blank" target="_blank" href="https://wasd.vsm.com.au/wasd/#wucme">https://wasd.vsm.com.au/wasd/</a> <a id="4.2" href="#"></a> <a id="4.2.tlssslfunctionalitysources" href="#"></a> <a id="tlssslfunctionalitysources" href="#"></a> <h2 class="head"><span class="numb">4.2</span><span class="text">TLS/SSL Functionality Sources</span></h2> <p> Secure Sockets Layer functionality is easily integrated into WASD and is available from one (or more) of the following sources. See for the basics of installing WASD SSL and for configuration of various aspects. <div class="note center"> <a id="4.2.0.0.1" href="#"></a> <a id="4.2.allopenssl102andearlier" href="#"></a> <a id="allopenssl102andearlier" href="#"></a> <h5 class="head center"><span class="text">All OpenSSL 1.0.2 and earlier</span></h5> <hr class="note_hr"> are considered obsolete, deprecated and unsupported <hr class="note_hr"> </div> <ol class="list"> <li class="item"> The <span class="high bold">VSI SSL111 for OpenVMS</span> product <p> This is provided from the directory SYS$COMMON:<a class="link blank" target="_blank" href="/sys$common/ssl111/*.*">[SSL111]</a> containing shared libraries, executables and templates for certificate management, etc. If this product is installed and started the WASD installation and update procedures should detect it and provide the option of compiling and/or linking WASD against its shareable libraries. <li class="item"> As a separate, easily integrated <span class="high bold">WASD OpenSSL package</span>, with OpenSSL object libraries, OpenSSL utility object modules for building executables and WASD support files. Currently it is based on the OpenSSL v1.1.1 code stream. The package requires no compilation, only linking, and is available for Alpha and Itanium for VMS version 7.0 up to current. <p> WASD OpenSSL installation creates an OpenSSL directory in the source WASD_ROOT:[SRC<a class="link blank" target="_blank" href="/wasd_root/src/*.*">.OPENSSL-n_n_n]</a> (look for it here) containing the OpenSSL copyright notice, object libraries, object modules for building executables, example certificates, and some other support files and documentation. <li class="item"> Using a locally compiled and installed <span class="high bold">OpenSSL toolkit</span>. <p> The OpenSSL v1.1.1 code stream is supported. WASD requires a 32 bit OpenSSL build (the default). <p> To change linkage use step 2 described in selecting the alternate toolkit build. <p> OpenSSL v1.1.1 uses the naming schema OSSL$… for logical and file names. It also provides object libraries for a static linked executable, as well as shareable images, for the two main APIs (SSL and crypto). In common with the VSI SSL111 product, the shareable images must be installed to be used with the WASD server privileged executable. The WASD STARTUP.COM procedure will undertake this when directed (see immediately below). <p> There is one other consideration. For a privileged executable to activate a shareable image, not only must the image be installed but any associated logical names must be defined in executive (or kernel) mode. When executing the OpenSSL v1.1.1 startup procedure P1 must be "<span class="high italic monosp">SYSTEM/EXECUTIVE</span>" as in the following example: <div class="blockof code">$ @SYS$COMMON:[OPENSSL.SYS$STARTUP]OPENSSL_STARTUP0101.COM "/SYSTEM/EXECUTIVE" $ @WASD_ROOT:[STARTUP]STARTUP WASD_OSSL=1 </div> </ol> <a id="4.3" href="#"></a> <a id="4.3.wasdsslquickstart" href="#"></a> <a id="wasdsslquickstart" href="#"></a> <h2 class="head"><span class="numb">4.3</span><span class="text">WASD SSL Quick-Start</span></h2> <p> SSL functionality can be installed with a new package, or with an update, or it can be added to an existing non-SSL enabled site. The following steps give a quick outline for support of SSL. <ol class="list"> <li class="item"> If using the VSI SSL111 product or an already installed OpenSSL toolkit go directly to step 2. To install the WASD OpenSSL package the ZIP archive needs to be restored. <ul class="list"> <li class="item"> The ZIP archive will contain brief installation instructions. Use the following command to read this and any other information provided. <div class="blockof code">$ UNZIP -z device:[dir]archive.ZIP </div> <li class="item"> <span class="high under">Either</span> UNZIP the WASD OpenSSL package into a new installation <div class="blockof code">$ SET DEFAULT [.WASD_ROOT] $ UNZIP device:[dir]archive.ZIP </div> <li class="item"> <span class="high under">OR</span> into an existing installation <div class="blockof code">$ SET DEFAULT WASD_ROOT:[000000] $ UNZIP device:[dir]archive.ZIP </div> </ul> <li class="item"> It is then necessary to build the (server and Open)SSL executables. <ul class="list"> <li class="item"> If during an original INSTALL or subsequent UPDATE of the entire package the procedures detect a suitable SSL toolkit and prompt the user whether an SSL enabled server should be built. <li class="item"> To to add SSL functionality to an existing but non-SSL site just the SSL components can be built using the following procedure. <div class="blockof code">$ @WASD_ROOT:[INSTALL]UPDATE SSL </div> </ul> <li class="item"> Once linked the UPDATE.COM procedure will prompt for permission to execute the demonstration/check procedure. <p> It is also possible to check the SSL package at any other time using the server demonstration procedure. It is necessary to specify that it is to use the SSL executable. Follow the displayed instructions. <div class="blockof code">$ @WASD_ROOT:[INSTALL]DEMO.COM SSL </div> <li class="item"> Modification of server startup procedures should not be necessary. If an SSL image is detected during startup it will be used in preference to the standard image. <li class="item"> Modify the WASD_CONFIG_SERVICE configuration file to specify an SSL service. For example the following adds a generic SSL service on port 443. <div class="blockof code">[[https://*:443]] </div> <li class="item"> Shutdown the server completely, then restart. <div class="blockof code">$ HTTPD /DO=EXIT $ @WASD_ROOT:[STARTUP]STARTUP </div> <li class="item"> To check the functionality (on default ports) access the server via <ul class="list simple"> <li class="item"> Standard HTTP <div class="blockof code">http://the.example.com/ </div> <li class="item"> SSL HTTP <div class="blockof code">https://the.example.com/ </div> </ul> <li class="item"> Once the server has been proved functional with the example certificate it is recommended that a server-specific certificate be created using the tools described in <a class="link" href="#4.6.1.servercertificate">4.6.1 Server Certificate</a> and <a class="link" href="#4.6.certificatemanagement">4.6 Certificate Management</a>. </ol> <a id="4.4" href="#"></a> <a id="4.4.opensslexeapplication" href="#"></a> <a id="opensslexeapplication" href="#"></a> <h2 class="head"><span class="numb">4.4</span><span class="text">OPENSSL.EXE Application</span></h2> <p> The OPENSSL.EXE application is a command line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It is described being used several times in this section of the documentation. Refer to the OpenSSL Man page for descriptions of the various commands and their syntax. <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="https://www.openssl.org/docs/manmaster/man1/openssl.html">https://www.openssl.org/docs/manmaster/man1/openssl.html</a> <li class="item"> <a class="link blank" target="_blank" href="https://wiki.openssl.org/index.php/Command_Line_Utilities">https://wiki.openssl.org/index.php/Command_Line_Utilities</a> </ul> <p> It is commonly used as a <span class="high italic">foreign verb</span> on VMS systems and assigned during SYLOGIN.COM or LOGIN.COM and depends on the distribution and version in use. For example: <ul class="list simple list0"> <li class="item"> $ @SSL111$COM:SSL111$UTILS.COM <li class="item"> $ @OSSL$INSTROOT:[SYS$STARTUP]OPENSSL_UTILS0101.COM </ul> <p> A simple addition to SYLOGIN.COM or LOGIN.COM for WASD-specific OpenSSL kits to assign the OPENSSL verb is: <div class="blockof code">$ @WASD_ROOT:[EXAMPLE]WASDVERBS.COM SSL </div> <a id="4.5" href="#"></a> <a id="4.5.sslconfiguration" href="#"></a> <a id="sslconfiguration" href="#"></a> <h2 class="head"><span class="numb">4.5</span><span class="text">SSL Configuration</span></h2> <p> The example server startup procedure already contains support for the SSL executable. If this has been used as the basis for startup then an SSL executable will be started automatically, rather than the standard executable. The SSL executable supports both standard HTTP services (ports) and HTTPS services (ports). These must be configured using the [service] parameter. SSL services are distinguished by specifying "https:" in the parameter. The default port for an SSL service is 443. <p> WASD can configure services using the WASD_CONFIG_GLOBAL [SSL..] directives, the per-service WASD_CONFIG_SERVICE [ServiceSSL..] directives, or the /SSL= qualifier. Configuration precedence is WASD_CONFIG_SERVICE, /SSL= and finally WASD_CONFIG_GLOBAL. <a id="4.5.1" href="#"></a> <a id="4.5.1.wasdconfigservice" href="#"></a> <a id="wasdconfigservice" href="#"></a> <h3 class="head"><span class="numb">4.5.1</span><span class="text">WASD_CONFIG_SERVICE</span></h3> <p> SSL service configuration using the WASD_CONFIG_SERVICE configuration is slightly simpler, with a specific configuration directive for each aspect. (see <a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). This example illustrates configuring the same services as used in the previous section. <div class="blockof code">[[http://alpha.example.com:80]] [[https://alpha.example.com:443]] [ServiceSSLversion] TLSvALL [ServiceSSLcert] WASD_ROOT:[local]alpha.pem [[https://beta.example.com:443]] [ServiceSSLversion] SSLv3 [ServiceSSLcert] WASD_ROOT:[local]beta.pem </div> <a id="4.5.2" href="#"></a> <a id="4.5.2.tlssslversions" href="#"></a> <a id="tlssslversions" href="#"></a> <h3 class="head"><span class="numb">4.5.2</span><span class="text">TLS/SSL Versions</span></h3> <a id="4.5.2.0.0.1" href="#"></a> <a id="4.5.2.sslversions" href="#"></a> <a id="sslversions" href="#"></a> <h6 class="head display0"><span class="text">SSL Versions</span></h6> <p> As WASD uses the OpenSSL package in one distribution or another it largely supports all of the capability of that underlying package. The obsolete SSLv2, and the deprecated SSLv3 are no longer accepted by default. WASD default comprise the TLS family of protocols, at the time of writing, <span class="high bold">TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3</span>. <p> Some older clients employing SSLv3 may fail. Symptoms are dropped connection establishment and WATCH [x]SSL variously showing "SSL routines SSL<span class="high italic">n</span>_GET_RECORD wrong version number", "SSL routines SSL<span class="high italic">n</span>_GET_CLIENT_HELLO unknown protocol", possibly others. It is generally considered SSL best-practice not to have SSLv3 enabled but if required may be supported by configuring WASD_CONFIG_GLOBAL [SSLversion] with "SSLv3,TLSvALL", the per-service WASD_CONFIG_SERVICE equivalent, or using the /SSL=(SSLv3,TLSvALL) command line parameter during server startup. <a id="4.5.2.0.1" href="#"></a> <a id="4.5.2.tlsversion13" href="#"></a> <a id="tlsversion13" href="#"></a> <h5 class="head"><span class="text">TLS Version 1.3</span></h5> <p> TLSv1.3 perhaps should have been designated TLSv2.0 and not be considered as an incremental improvement over earlier versions of TLS but a significant upgrade! <ul class="list simple"> <li class="item"> <a class="link blank" target="_blank" href="https://wiki.openssl.org/index.php/TLS1.3">https://wiki.openssl.org/index.php/TLS1.3</a> </ul> <p> TLSv1.3 can be tested for as demonstrated at <a class="link" href="#4.8.testtlsversion13">‘test TLS Version 1.3’ in 4.8 SSL Service Evaluation</a>. <a id="4.5.3" href="#"></a> <a id="4.5.3.sslciphers" href="#"></a> <a id="sslciphers" href="#"></a> <h3 class="head"><span class="numb">4.5.3</span><span class="text">SSL Ciphers</span></h3> <p> Ciphers are the algorithms, designed and implemented on mathematical computations, that render the readable plaintext into unreadable ciphertext. Ciphers tend to be available in suites (or families) where variants, usually based on key size and therefore resistence to decryption without a known key, that browsers and otheragents negotiate on and accept when setting up a secure (encrypted) network transports with servers. <p> Cipher selection is important to the overall security of the supported environment as well as the range of clients and servers that can establish communication due to shared cipher suites. Including only more recent (and technically secure) ciphers can preclude older clients from establishing secure connection, and including older (and perhaps more susceptible to modern attack) ciphers increases site vunerability. Some environments, for example HTTP/2, are quite prescriptive regarding the secure connection, to the point of blacklisting protocol versions and cipher suites no longer considered secure enough. <p> Fortunately a number of sites provide cipher guidelines based on requirements. The Mozilla Developer Network provides these amongst other useful information on security and server side TLS. <p class="indent"> <a class="link blank" target="_blank" href="https://wiki.mozilla.org/Security/Server_Side_TLS">https://wiki.mozilla.org/Security/Server_Side_TLS</a> <p> WASD has a default (built-in) functional cipher list that is general in application and relevant to when it was compiled. This in particular and site cipher lists in general, should be reviewed from time to time as opinions and requirements do change. <p> Many agents (browsers) require the elliptic curve ciphers provided by Forward Secrecy elements (<a class="link" href="#4.5.5.forwardsecrecy">4.5.5 Forward Secrecy</a>) to negotiate later TLS versions. <a id="4.5.3.0.0.1" href="#"></a> <a id="4.5.3.ssloptions" href="#"></a> <a id="ssloptions" href="#"></a> <h6 class="head display0"><span class="text">SSL Options</span></h6> <a id="4.5.3.0.0.2" href="#"></a> <a id="4.5.3.tlsssloptions" href="#"></a> <a id="tlsssloptions" href="#"></a> <h6 class="head display0"><span class="text">TLS/SSL Options</span></h6> <a id="4.5.3.0.0.3" href="#"></a> <a id="4.5.3.openssloptions" href="#"></a> <a id="openssloptions" href="#"></a> <h6 class="head display0"><span class="text">OpenSSL Options</span></h6> <a id="4.5.4" href="#"></a> <a id="4.5.4.openssloptions" href="#"></a> <a id="openssloptions" href="#"></a> <h3 class="head"><span class="numb">4.5.4</span><span class="text">(Open)SSL Options</span></h3> <p> The OpenSSL package provides for various options to be flagged against an TLS/SSL service. WASD sets the (OpenSSL) default options and then allows these to be overwitten/set/reset using hexadecimal values representing bit patterns. OpenSSL defaults are suitable for most sites. <p> The SSL options directives in global and per-service configuration, and the OPTIONS= keyword for the /SSL= qualifier, accept <ul class="list simple list0"> <li class="item"> 0x<span class="high italic">XX</span> - overwrite the options field <li class="item"> +0x<span class="high italic">XX</span> - set (logical OR) the specified bit(s) <li class="item"> -0x<span class="high italic">XX</span> - reset (logical AND) the specified bit(s) </ul> <p> Alternatively, the following OpenSSL option mnemonics can be used with a leading "+" to enable, or "-" to disable <ul class="list simple list0"> <li class="item"> OP_ALL <li class="item"> OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION <li class="item"> OP_CIPHER_SERVER_PREFERENCE <li class="item"> OP_LEGACY_SERVER_CONNECT <li class="item"> OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION <li class="item"> OP_NO_TICKET <li class="item"> OP_SINGLE_DH_USE <li class="item"> OP_TLS_ROLLBACK_BUG </ul> <a id="4.5.5" href="#"></a> <a id="4.5.5.forwardsecrecy" href="#"></a> <a id="forwardsecrecy" href="#"></a> <h3 class="head"><span class="numb">4.5.5</span><span class="text">Forward Secrecy</span></h3> <p> Forward secrecy, sometimes known as perfect forward secrecy (PFS), is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. <p class="indent"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Forward_secrecy">http://en.wikipedia.org/wiki/Forward_secrecy</a> <p> OpenSSL supports forward secrecy using Diffie-Hellman key exchange with elliptic curve cryptography and this relies on generating emphemeral keys based on unique, safe prime numbers. These are expensive to generate and so this is done infrequently, often during software build or installation. In the case of WASD, to maximise flexibility, these numbers are stored in external PEM-format files, by default located in the WASD_ROOT:[LOCAL] directory. These files are only briefly accessed during server startup SSL initialisation and the content later used during network connection SSL negotiation to generate the required ephemeral keys. <p> PFS requires a small number of elements working in concert <ul class="list list0"> <li class="item"> Ephemeral key generation <li class="item"> Selection and ordering of server ciphers <li class="item"> Ensuring the server determines the cipher used (+OP_CIPHER_SERVER_PREFERENCE) </ul> <p> The detail is described in these references <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="https://community.qualys.com/blogs/securitylabs/2013/06/25/\ssl-labs-deploying-forward-secrecy">https://community.qualys.com/blogs/securitylabs/2013/06/25/\ssl-labs-deploying-forward-secrecy</a> <li class="item"> <a class="link blank" target="_blank" href="https://community.qualys.com/blogs/securitylabs/2013/08/05/\configuring-apache-nginx-and-openssl-for-forward-secrecy">https://community.qualys.com/blogs/securitylabs/2013/08/05/\configuring-apache-nginx-and-openssl-for-forward-secrecy</a> </ul> <div class="note center"><a id="4.5.5.0.0.1" href="#"></a> <a id="4.5.5.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Ephemeral keys are supported beginning with WASD v10.4.1. <hr class="note_hr"> </div> <p> Executing the WASD OpenSSL procedure <div class="blockof code">$ @CREATE_EPHEMERAL_DH_PARAM </div> will generate site-unique files containing 512, 1024 and 2048 bit primes, and optionally copy those files to the WASD_ROOT:[LOCAL] directory. The [.CERT] directory contains files that could be used but unique, locally generated primes are preferable. <p> Alternatively, generated directly at the command-line using the OpenSSL <span class="high italic">dhparam</span> utility, as in these examples; <div class="blockof code">$ openssl dhparam -out dh_param_512.pem 512 $ openssl dhparam -out dh_param_1024.pem 1024 $ openssl dhparam -out dh_param_2048.pem 2048 </div> <div class="note center"><a id="4.5.5.0.0.2" href="#"></a> <a id="4.5.5.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> Key generation can take some considerable time! <hr class="note_hr"> </div> The file(s) must be located in the WASD_ROOT:[LOCAL] directory and the file names use the format DH_PARAM_<span class="high italic">number-of-bits</span>.PEM <p> Alternatively, files containing emphemeral keys generated freshly with each release, may be copied from the WASD OpenSSL package using <div class="blockof code">$ COPY WASD_ROOT:[SRC.OPENSSL-n_n_n.WASD.CERT]DH_PARAM_*.PEM WASD_ROOT:[LOCAL] </div> <a id="4.5.6" href="#"></a> <a id="4.5.6.sessionresumption" href="#"></a> <a id="sessionresumption" href="#"></a> <h3 class="head"><span class="numb">4.5.6</span><span class="text">Session Resumption</span></h3> <p> When a TLS/SSL connection is initiated an expensive handshake (in terms of time and compute) is required to establish the cryptographic and other elements of the connection. Mitigation of this expense is undertaken by allowing the resumption of a previous session (abbreviating the handshake exchanges) using connection state stored either at the server or at the client. <ul class="list"> <li class="item"> <span class="high bold">Session Ticket</span> <p> This TLS extension provides the connection state to the client, encrypted with keys available only to the server. The client stores the (encrypted) state and when (re-)connecting to the server provides that ticket in the initial part of the handshake. The server decrypts the ticket and if valid expedites the connection by resuming the previously negotiated session. This is the more modern, almost universally supported mechanism and is generally enabled by default. <p> Session tickets introduce a potential vulnerability to TLS security, in particular to the benefits of Forward Secrecy (PFS). If the ticket can be compromised, through theft of the keys or brute-force decryption attack, the entire session becomes vulnerable to attack. It is therefore advised to periodically rotate (change) the keys used by the server to encrypt the tickets. WASD does this every (RFC recommended) 24 hours, at midnight (local time). <p> Where a site is provided by multiple servers and connections distributed between these, session resumption using tickets relies on each server using the same keys. The current keys must be distributed to each server (using a secure mechanism) and this performed every time the keys are rotated. WASD uses the DLM to perform this for multiple per-node and cluster-wide instances as applicable. <li class="item"> <span class="high bold">Session ID</span> <p> In a full handshake the server sends a Session ID (unique, non-repeating value) as part of the handshake. On a subsequent connection the client can pass this session ID back to the server when connecting. To support session resumption via session IDs the server must maintain a cache that maps past session IDs to those sessions' states. The cache has limited capacity and is expensive for the server to maintain. If the session ID is still available in the cache the session can be resumed. This is the original session resumption mechanism. <p> Where a single WASD instance is involved the session cache is implemented in-memory. With multiple instances on a single node it is provided across those instances using a shared global section. The cacpacity of this shared cache is determined by the WASD_CONFIG_GLOBAL directives [SSLinstanceCacheMax] and [SSLinstanceCacheSize] directives. There is no cluster-wide session cache. When multiple instances are in use the shared session cache is enabled by default. Session ID caching may be globally disabled by setting [SSLsessionCacheMax] to -1. </ul> <p> With Session Tickets being the more modern, flexible and efficient solution to session resumption (and being available cluster-wide) it is recommended that WASD sites disable Session ID caching. <p> The default maximum period for session reuse is five minutes. This may be set globally using the [SSLsessionLifetime] directive or on a per-service basis using [ServiceSSLsessionLifetime]. <p> To some extent, the relatively long-lived connections and lower concurrency with HTTP/2 means the importance of session resumption in improving request latency and connection overhead is reduced. <a id="4.5.7" href="#"></a> <a id="4.5.7.stricttransportsecurity" href="#"></a> <a id="stricttransportsecurity" href="#"></a> <h3 class="head"><span class="numb">4.5.7</span><span class="text">Strict Transport Security</span></h3> <p> HTTP Strict Transport Security (HSTS) is a security policy mechanism which helps protect sites against protocol downgrade attack and cookie hijacking. It allows web servers to declare that browsers and other complying agents should only interact using secure (TLS) HTTP connections and never via clear-text HTTP. HSTS is an IETF standard specified in RFC 6797. <p> When global configuration directive [SSLstrictTransSec] is non-zero, or per-service configuration directive [ServiceSSLstrictTransSec] is non-zero, or a path is <span class="high italic">SET response=sts=<value></span>, TLS/SSL HTTP responses include a "Strict-Transport-Security: max-age=<span class="high italic">seconds</span>" header field. Conforming agents note this period and refuse to communicate with the site via clear-text HTTP for the period represented by the integer number of seconds specified. <a id="4.5.8" href="#"></a> <a id="4.5.8.sslservercertificate" href="#"></a> <a id="sslservercertificate" href="#"></a> <h3 class="head"><span class="numb">4.5.8</span><span class="text">SSL Server Certificate</span></h3> <p> The server certificate is used by the browser to authenticate the server against the server certificate Certificate Authority (CA), in making a secure connection, and in establishing a trust relationship between the browser and server. By default this is located using the WASD_CONFIG_GLOBAL [SSLcert] or WASD_CONFIG_SERVICE [ServiceSSLcert] configuration directive, the WASD_CONFIG_SSL_CERT logical name, or using the /SSL= command-line qualifier, however if required. Each SSL service can have an individual certificate configured as in the example above. <a id="4.5.9" href="#"></a> <a id="4.5.9.sslprivatekey" href="#"></a> <a id="sslprivatekey" href="#"></a> <h3 class="head"><span class="numb">4.5.9</span><span class="text">SSL Private Key</span></h3> <p> The <span class="high italic">private key</span> is used to validate and enable the server certificate. A private key is enabled using a <span class="high italic">secret</span>, a password. It is common practice to embed this (encrypted) password within the private key data. This private key can be appended to the server certificate file, or it can be supplied separately. If provided separately it can be located using the WASD_CONFIG_GLOBAL [SSLkey] or WASD_CONFIG_SERVICE [ServiceSSLkey] configuration directive, tor using the WASD_CONFIG_SSL_KEY logical. When the password is embedded in the private key information it becomes vulnerable to being stolen as an enabled key. For this reason it is possible to provide the password separately and manually. <p> If the password key is not found with the key during startup the server will request that it be entered at the command-line. This request is made via the HTTPDMON "STATUS:" line (see <a class="link blank" target="_blank" href="../config/#opcomlogging">OPCOM Logging</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>), and if any OPCOM category is enabled via an operator message. If the private key password is not available with the key it is recommended that OPCOM be configured, enabled and monitored at all times. <p> When a private key password is requested by the server it is supplied using the /DO=SSL=KEY=PASSWORD directive (<a class="link" href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a>). This must be used at the command line on the same system as the server is executing. The server then prompts for the password. <div class="blockof code">Enter private key password []: </div> The password is not echoed. When entered the password is securely supplied to the server and startup progresses. An incorrect password will be reprompted for twice (i.e. up to three attempts are allowed) before the startup continues with the particular service not configured and unavailable. Entering a password consisting of all spaces will cause the server to abort the full startup and exit from the system. <a id="4.5.10" href="#"></a> <a id="4.5.10.sslvirtualservices" href="#"></a> <a id="sslvirtualservices" href="#"></a> <h3 class="head"><span class="numb">4.5.10</span><span class="text">SSL Virtual Services</span></h3> <p> Multiple virtual SSL services (https:) sharing the same or individual certificates (and other characteristics) can essentially be configured against any host name (unique IP address or host name alias) and/or port in the same way as standard services (http:). <p> WASD SSL implements <span class="high bold">Server Name Indication</span> (SNI), an extension to the TLS protocol that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. <p> When the client presents an SNI server name during SSL connection establishment, WASD searches the list of services it is offering for an SSL service (the first hit) operating with a name matching the SNI server name. If matched, the SSL context (certificate, etc.) of that service is used to establish the connection. If not matched, the service the TCP/IP connection originally arrived at is used. <a id="4.5.11" href="#"></a> <a id="4.5.11.sslaccesscontrol" href="#"></a> <a id="sslaccesscontrol" href="#"></a> <h3 class="head"><span class="numb">4.5.11</span><span class="text">SSL Access Control</span></h3> <p> When authorization is in place (<a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a>) access to username/password controlled data/functionality benefits enormously from the privacy of an authorization environment inherently secured via the encrypted communications of SSL. In addition there is the possibility of authentication via client X.509 certification (<a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a>). SSL may be used as part of the site's access control policy, as whole-of-site, see <a class="link" href="#3.2.authenticationpolicy">3.2 Authentication Policy</a>, or on a per-path basis (see <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <a id="4.5.12" href="#"></a> <a id="4.5.12.authorizationusingx509certification" href="#"></a> <a id="authorizationusingx509certification" href="#"></a> <h3 class="head"><span class="numb">4.5.12</span><span class="text">Authorization Using X.509 Certification</span></h3> <p> The server access control functionality (authentication and authorization) allows the use of <span class="high italic">public key infrastructure</span> (PKI) X.509 v3 client certificates for establishing identity and based on that apply authorization constraints. See <a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a> for general information on WASD authorization and <a class="link" href="#3.4.authorizationconfigurationfile">3.4 Authorization Configuration File</a> for configuring a X509 realm. <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a> provides introductory references on public-key cryptography and PKI. <p> A client certificate is stored by the browser. During an SSL transaction the server can request that such a certificate be provided. For the initial instance of such a request the browser activates a dialog requesting the user select one of any certificates it has installed. If selected it is transmitted securely to the server which will usually (though optionally not) authenticate its Certificate Authority to establish its integrity. If accepted it can then be used as an authenticated identity. This obviates the use of username/password dialogs. <div class="note"> <a id="4.5.12.0.1" href="#"></a> <a id="4.5.12.important" href="#"></a> <a id="important" href="#"></a> <h5 class="head center"><span class="text">Important</span></h5> <hr class="note_hr"> Neither username/password nor certificate-based authentication addresses security issues related to access to individual machines and stored certificates, or to password confidentiality. Public-key cryptography only verifies that a private key used to sign some data corresponds to the public key in a certificate. It is a user responsibility to protect a machine's physical security and to keep private-key passwords secret. <hr class="note_hr"> </div> <p> The initial negotiation and verification of a client certificate is a relatively resource intensive process. Once established however, OpenSSL sessions are usually either stored in a cache or stored encrypted withing the client, reducing subsequent request overheads significantly. Each session has a specified expiry period after which the client is forced to negotiate a new session. This period is adjustable using the "[LT:integer]" and "[TO:integer]" directives described below. <a id="4.5.13" href="#"></a> <a id="4.5.13.x509certificaterenegotiation" href="#"></a> <a id="x509certificaterenegotiation" href="#"></a> <h3 class="head"><span class="numb">4.5.13</span><span class="text">X.509 Certificate Renegotiation</span></h3> <p> An X.509 client certificate is requested at either TLS/SSL connection establishment (WASD_CONFIG_GLOBAL [SSLverifyPeer], WASD_CONFIG_SERVICE [ServiceSSLverifyPeer]) or once the request has been made and assessed against authorisation rules. If an X509 realm controls access to the resources then the TLS/SSL connection is queried for an X.509 client certificate to authenticate the client and authorise the access. <p> This is performed via a TLS/SSL renegotiation and for this the connection must have been cleared of request data. In the case of a HEAD, GET, OPTIONS, etc. request, this already has implicitly occurred by there being no request body. For POST, PROPFIND, PUT, etc. requests, the client most likely already will be transmitting the request body. This (<span class="high italic">application data</span>) must be absorbed before the client certificate renegotiation can be performed. <p> In avoiding disruption to the current request, any request body must be buffered (in full, based on the content length specified in the header) before issuing the renegotiation. This consumes memory and potentially large quantities. The default maximum buffer space is 1MB. The maximum request body size and hence maximum memory accomodated can be configured using the per-service WASD_CONFIG_SERVICE [ServiceSSLverifyDataMax] directive, or the global WASD_CONFIG_GLOBAL configuration directive [SSLverifyDataMax]. <p> Where a request with a body exceeds the maximum allowed buffer space the authorisation fails. This can be observed using WATCH. Where very large files are being sent the only solution is to first authenticate with a request without a body (e.g. using OPTIONS) then using the persistent connection and associated X.509 authentication perform the PUT or POST. <a id="4.5.14" href="#"></a> <a id="4.5.14.features" href="#"></a> <a id="features" href="#"></a> <h3 class="head"><span class="numb">4.5.14</span><span class="text">Features</span></h3> <p> WASD provides a range of capabilities when using X.509 client certificates. <ul class="list"> <li class="item"> <span class="high bold">By Service – </span> all SSL connections to such a service will be requested to supply a client certificate during the initial SSL handshake. This is more efficient than requesting later in the transaction, as happens with per-resource authorization. A client cannot connect successfully to this type of service without supplying an acceptable certificate. <li class="item"> <span class="high bold">By Resource – </span> using authorization rules in the WASD_CONFIG_AUTH file specifying a path against an [X509] realm causes the server to suspend request processing and renegotiate with the client to supply a certificate. If a suitable certificate is supplied the request authorization continues with normal processing. This obviously incurs an additional network transaction. <li class="item"> <span class="high bold">Optional access control – </span> once an acceptable certificate is supplied it can be subject to further access control by matching against its contents. The <span class="high italic">Issuer</span> (CA) and the <span class="high italic">Subject</span> (client) <span class="high italic">Distinguished Name</span> (DN) has various components including the name of the organization providing the certificate (e.g. "VeriSign", "Thawte"), location, common name, email address, etc. Those certificates matching or not matching the parameters are allowed or denied access. <li class="item"> <span class="high bold">Certificate verification – </span> by default supplied certificates have their CA verified by comparing to a list of recognised CA certificates stored in a server configuration file. If the CA component of the client certificate cannot be verified the connection is terminated before the HTTP request can begin. Although this is obviously required behaviour for authentication there may be other circumstances where verification is not required, a certificate content display service for instance. WASD optionally allows non-verified certificates to be used on a per-resource basis. <li class="item"> <span class="high bold">"Fingerprint" REMOTE_USER – </span> when a certificate is accepted by the server it generates a unique <span class="high italic">fingerprint</span> of the certificate. By default, this 32 digit hexadecimal number is used by the server as an <span class="high italic">effective username</span>, one that would normally be supplied via a username/password dialog (as an alternative see the section immediately below). This effective username becomes that available via the CGI variable REMOTE_USER. Although a 32 digit number is not particularly site-administrator friendly it is a <span class="high under">unique</span> representation (MD5 digest) of the individual certificate and can be used in WASD_CONFIG_AUTH access-restriction directives and included in group lists and databases for full WASD authorization control. <li class="item"> <span class="high bold">CN/DN record REMOTE_USER – </span> provides an alternative to using a "fingerprint" REMOTE_USER. Using the [RU:/<span class="high italic">record</span>=] conditional (see below) is becomes possible to specify that the remote-user string be obtained from the specified record of the client certificate subject field. Note that there is a (fairly generous) size limitation on the user name and that any white-space in such a record is converted to underscores. Although any record can be used the more obvious candidates are /O=, /OU=, /CN=, /S=, /UID= and /EMAIL=. Note that (even with the default CA verfication) the certificate CAs that this is possible against should be further constrained through the use of a [IS:/<span class="high italic">record</span>=<span class="high italic">string</span>] conditional (see example below). <li class="item"> <span class="high bold">Subject Alternative Name REMOTE_USER – </span> a common X509 V3 extension for providing identifying data in a certificate, can also be used to derive the remote user string. <li class="item"> <span class="high bold">X509 extension REMOTE_USER – </span> the content of any other extension field suitably filtered. </ul> <a id="4.5.15" href="#"></a> <a id="4.5.15.subjectalternativenameandotherextensions" href="#"></a> <a id="subjectalternativenameandotherextensions" href="#"></a> <h3 class="head"><span class="numb">4.5.15</span><span class="text">Subject Alternative Name and Other Extensions</span></h3> <p> The basic syntax for this field is the full extension name, and the short-hand equivalent. <div class="blockof code">[X509] /VMS/* r+w,param="[ru:X509v3_subject_Alternative_Name]" /VMS/* r+w,param="[ru:X509v3_SAN]" </div> <p> The Subject Alternative Name (SAN) extension (in common with many others) may contain multiple data elements, each with a leading name, a colon, and a (if multi line) carriage-control terminated value. WASD parses these into unqiue fields using keywords fixed in function SesolaCertKeyword() and the site configurable logical name WASD_X509_EXTENSION_KEYWORDS value. To select one of these fields, for example the common (Microsoft) user principal name (UPN), append the required field name to the extension name as shown in the following example (includes "shorthand" equivalents, along with the underscore and equate variants). Note that the identifying name match is not case sensitive. <div class="blockof code">[X509] /VMS/* r+w,param="[ru:X509V3_Subject_Alternative_Name_UserPrincipalName]" /VMS/* r+w,param="[ru:X509V3_Subject_Alternative_Name=UserPrincipalName]" /VMS/* r+w,param="[ru:X509v3_SAN_UPN]" /VMS/* r+w,param="[ru:X509v3_SAN=UPN]" /VMS/* r+w,param="[ru:X509V3_Subject_Alternative_Name_rfc822Name]" /VMS/* r+w,param="[ru:X509V3_Subject_Alternative_Name=rfc822Name]" /VMS/* r+w,param="[ru:X509v3_SAN_822]" /VMS/* r+w,param="[ru:X509v3_SAN=822]" </div> <p> Object Identifiers (OIDs) may be used for either record and field name (if an unknown otherName) by prefixing with "OID_". For example, the SAN may be alternatively selected, and the (Microsoft) UPN, as in the following examples. <div class="blockof code">/VMS/* r+w,param="[ru:OID_2_5_29_17]" /VMS/* r+w,param="[ru:OID_2_5_29_17_UPN]" /VMS/* r+w,param="[ru:OID_2_5_29_17=UPN]" /VMS/* r+w,param="[ru:X509v3_SAN_OID_1_3_6_1_20_2_3]" /VMS/* r+w,param="[ru:X509v3_SAN_OID=1_3_6_1_20_2_3]" </div> <a id="4.5.15.0.1" href="#"></a> <a id="4.5.15.extensionvisibility" href="#"></a> <a id="extensionvisibility" href="#"></a> <h5 class="head"><span class="text">Extension Visibility</span></h5> <p> X509 certificate extensions are in general visible from WATCH and accessible via CGI variables (when enabled using SET <span class="high italic">SSLCGI=apache_mod_ssl_extens</span> and <span class="high italic">SSLCGI=apache_mod_ssl_client</span> path mappings). The identifying names derived from X509 extensions are built of the alphanumerics in the element names. Non-alphanumerics (e.g. spaces) have underscores substituted. Multiple underscores are compressed into singles. Where elements have identical names the first multiple has TWO underscores and the digit two appended, the second mutiple, two underscores and three appended, etc. <a id="4.5.16" href="#"></a> <a id="4.5.16.x509configuration" href="#"></a> <a id="x509configuration" href="#"></a> <h3 class="head"><span class="numb">4.5.16</span><span class="text">X509 Configuration</span></h3> <p> Of course, the WASD OpenSSL component must be installed and in use to apply client X.509 certificate authorization. There is general server setup, then per-service and per-resource configuration. <a id="4.5.16.0.1" href="#"></a> <a id="4.5.16.generalsetup" href="#"></a> <a id="generalsetup" href="#"></a> <h5 class="head"><span class="text">General Setup</span></h5> <p> Client certificate authorization has reasonable defaults. If some aspect requires site refinement the WASD_CONFIG_GLOBAL [SSL..] directives (see <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) or command-line /SSL= qualifier parameters can provide per-server defaults. <ul class="list list0"> <li class="item"> (CACHE=integer) sets the session size (128 entries by default) <li class="item"> (CAFILE=file-name) sets the location of the CA verification store file (also can be set via WASD_CONFIG_SSL_CAFILE logical). <li class="item"> (TIMEOUT=integer) sets the session expiry period in minutes (5 by default) <li class="item"> (VERIFY=integer) sets the depth to which client certificate CAs are verified (default is 10) </ul> <p> The location of the CA verification file can also be determined using the logical name WASD_CONFIG_SSL_CAFILE. The order of precedence for using these specifications is <ol class="list list0"> <li class="item"> per-service configuration using WASD_CONFIG_SERVICE or WASD_CONFIG_GLOBAL <li class="item"> per-server using /SSL=CAFILE=filename <li class="item"> per-server using WASD_CONFIG_SSL_CAFILE </ol> <a id="4.5.16.0.2" href="#"></a> <a id="4.5.16.byservice" href="#"></a> <a id="byservice" href="#"></a> <h5 class="head"><span class="text">By Service</span></h5> <p> The WASD_CONFIG_SERVICE directive is provided for per-service CA file specification, if necessary allowing different services to accept a different mix of CAs. <div class="blockof code">[[https://the.example.com:443]] [ServiceSSLVerifyPeer] enabled [ServiceSSLVerifyPeerCAfile] WASD_ROOT:[LOCAL]CA_THE_HOST_NAME.TXT </div> <a id="4.5.16.0.3" href="#"></a> <a id="4.5.16.byresource" href="#"></a> <a id="byresource" href="#"></a> <h5 class="head"><span class="text">By Resource</span></h5> <p> Client certificate authorization is probably most usefully applied on a per-resource (per-request-path) basis using WASD_CONFIG_AUTH configuration file rules. Of course, per-resource control also applies to services that always require a client certificate (the only difference is the certificate has already been negotiated for during the initial connection handshake). The reserved realm name "X509" activates client certificate authentication when a rule belonging to that realm is triggered. The following example shows such a rule providing read access to those possessing any verified certificate. <div class="blockof code">[X509] /path/requiring/cert/* r </div> <p> Optional directives may be supplied to the X.509 authenticator controlling what mode the certificate is accepted in, as well a further access-restriction rules on specifically which certificates may or may not be accepted for authorization. Such directives are passed via the "param=" mechanism. The following real-life example shows a script path requiring a mandatory certificate, but not necessarily having the CA verified. This would allow a certificate display service to be established, the "[to:EXPIRED]" directive forcing the client to explicitly select a certificate with each access. <div class="blockof code">[X509] /cgi-bin/client_cert_details r,param="[vf:OPTIONAL][to:EXPIRED]" </div> <p> A number of such directives are available controlling some aspects of the certificate negotiation and verification. The "[LT:integer]" directive causes a verified certificate selection to continue to be valid for the specified period as long as requests continue during that period (lifetime is reset with each access). <ul class="list list0"> <li class="item"> [DP:integer] verify certificate CA chain to this depth (default 10) <li class="item"> [LT:integer] verified certificate lifetime in minutes (disabled by default) <li class="item"> [RU:/record=] derive the remote-user name from the specified certificate subject field DN record <li class="item"> [TO:integer] session cache entry timeout in minutes (default 5) <li class="item"> [TO:EXPIRED] session cache entry is forced to expire (initating renegotiation) <li class="item"> [VF:NONE] no certificate is required (any existing is cancelled) <li class="item"> [VF:OPTIONAL] certificate is required, CA verification is not required <li class="item"> [VF:REQUIRED] the certificate must pass CA verification (the default) </ul> <p> Optional "param=" passed conditionals may also be used to provide additional filtering on which certificates may or may not be used against the particular path. This is based on pattern matching against client certificate components. <ul class="list list0"> <li class="item"> [CI:string] transaction cipher <li class="item"> [IS:/record=string] specified Issuer (CA) DN record only <li class="item"> [IS:string] entire Issuer (CA) DN <li class="item"> [KS:integer] minimum key size <li class="item"> [SU:/record=string] specified Subject (client) DN record only <li class="item"> [SU:string] entire Subject (client) DN </ul> <p> These functions can be used in a similar fashion to mapping rule conditionals (see <a class="link blank" target="_blank" href="../config/#conditionalconfiguration">Conditional Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). This includes the logical ORing, ANDing and negating of conditionals. Asterisk wildcards match any zero or more characters, percent characters any single character. Matching is case-insensitive. <p> Note that the "IS:" and "SU:" conditionals each have a <span class="high italic">specific-record</span> and an <span class="high italic">entire-field</span> mode. If the conditional string begins with a slash then it is considered to be a match against a specified record contents within the field. If it begins with a wildcard then it is matched against the entire field contents. Certificate DN records recognised by WASD, <ul class="list simple list0"> <li class="item"> <span class="high bold italic">C=</span> countryName <li class="item"> <span class="high bold italic">ST=</span> stateOrProvinceName <li class="item"> <span class="high bold italic">SP=</span> stateOrProvinceName <li class="item"> <span class="high bold italic">L=</span> localityName <li class="item"> <span class="high bold italic">O=</span> organizationName <li class="item"> <span class="high bold italic">OU=</span> organizationalUnitName <li class="item"> <span class="high bold italic">CN=</span> commonName <li class="item"> <span class="high bold italic">T=</span> title <li class="item"> <span class="high bold italic">I=</span> initials <li class="item"> <span class="high bold italic">G=</span> givenName <li class="item"> <span class="high bold italic">S=</span> surname <li class="item"> <span class="high bold italic">D=</span> description <li class="item"> <span class="high bold italic">UID=</span> uniqueIdentifier <li class="item"> <span class="high bold italic">Email=</span> pkcs9_emailAddress </ul> <p> The following (fairly contrived) examples provide an illustration of the basics of X509 conditionals. When matching against Issuer and Subject DNs some knowlege of their contents and structure is required (see <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a> for some basic resources). <div class="blockof code">[X509] # only give "VeriSign"ed ones access /controlled/path1/* r+w,param="[IS:/O=VeriSign\ Inc.]" # only give non-"VeriSign"ed ones access /controlled/path2/* r+w,param="[!IS:/O=VeriSign\ Inc.]" # only allow 128 bit keys using RC4-MD5 access /controlled/path3/* r+w,param="[KS:128][CI:RC4-MD5]" # only give a "Thawte"-signed client based in Australia # with the following email address access /controlled/path4/* r+w,param="\ [IS:*/O=Thawte\ Consulting\ cc/*]\ [SU:*/C=AU/*/Email=mark.daniel@wasd.vsm.com.au*]" # use the subject DN common-name record as the remote-user name # furthermore, restrict the CA's allowed to be used this way /VMS/* r+w,param="[RU:/CN=][IS:/O=WASD\ CA\ Cert]" </div> <p> Of course, access control via group membership is also available. The <span class="high italic">effective username</span> for the list is the 32 digit fingerprint of the client certificate (shown as REMOTE_USER IN the first example of <a class="link" href="#4.5.18.x509authorizationcgivariables">4.5.18 X.509 Authorization CGI Variables</a>), or the Subject DN record as specified using the [RU:/<span class="high italic">record</span>=] directive. This may be entered into simple lists as part of a group of which membership then controls access to the resource. The following examples show the contents of simple list files containing the X.509 fingerprints, derived remote-user names, and the required WASD_CONFIG_AUTH realm entries. <div class="blockof code"># FINGERPRINTS.$HTL # (a file of X.509 fingerprints for access to "/path/requiring/cert/") 106C8342890A1703AAA517317B145BF7 mark.daniel@wasd.vsm.com.au 6ADA07108C20338ADDC3613D6D8B159D just.another@where.ever.com # CERT_CN.$HTL # (a file of X.509 remote-user names derived using [RU:/CN=] Mark_Daniel mark.daniel@wasd.vsm.com.au Just_Another just.another@where.ever.com [X509;FINGERPRINTS=list] /path/requiring/cert/* r+w [X509;CERT_CN=list] /path/requiring/cn/* r+w </div> <p> In a similar fashion the effective username can be placed in an access restriction list. The following configuration would only allow the user of the certificate access to the specified resources. Other verified certificate holders would be denied access. <div class="blockof code">[X509] /httpd/-/admin/* ~106C8342890A1703AAA517317B145BF7,r+w /wasd_root/local/* ~106C8342890A1703AAA517317B145BF7,r+w /other/path/* ~Mark_Daniel,r+w,param="[ru:/cn=]" /yet/another/path/* ~Just_Another,r+w,param="[ru:/cn=]" </div> <a id="4.5.17" href="#"></a> <a id="4.5.17.certificateauthorityverificationfile" href="#"></a> <a id="certificateauthorityverificationfile" href="#"></a> <h3 class="head"><span class="numb">4.5.17</span><span class="text">Certificate Authority Verification File</span></h3> <p> For the CA certificate component of the client certificate to be verified as being what it claims to be (and thus establishing the integrity of the client certificate) a list of such certificates must be provided for comparison purposes. For WASD this list is contained in a single, plain-text file variously specified using either the WASD_CONFIG_SSL_CAFILE logical or per-service "[ServiceSSLclientCAfile]" directives, or the global [SSLverifyPeerCAFile] directive. <p> Copies of CA certificates are available for such purposes. The PEM copies (base-64 encoded versions of the binary certificate) can be placed into this file using any desired text editor. Comments may be inserted by prefixing with the "#" character. For WASD this would be best stored in the WASD_ROOT:[LOCAL] directory, or site equivalent. <p> An example of how such a file appears is provided below (bulk of the file has been 8< snipped 8< for bevity). <div class="blockof code">## ## Bundle of CA Root Certificates ## ## Certificate data from Mozilla as of: Wed Jan 18 04:12:05 2017 GMT ## ## This is a bundle of X.509 certificates of public Certificate Authorities ## (CA). These were automatically extracted from Mozilla's root certificates ## file (certdata.txt). This file can be found in the mozilla source tree: ## https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt ## ## It contains the certificates in PEM format and therefore ## can be directly used with curl / libcurl / php_curl, or with ## an Apache+mod_ssl webserver for SSL client authentication. ## Just configure this file as the SSLCACertificateFile. ## ## Conversion done with mk-ca-bundle.pl version 1.27. ## SHA256: dffa79e6aa993f558e82884abf7bb54bf440ab66ee91d82a27a627f6f2a4ace4 ## GlobalSign Root CA ================== -----BEGIN CERTIFICATE----- MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkGA1UEBhMCQkUx GTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jvb3QgQ0ExGzAZBgNVBAMTEkds b2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAwMDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNV BAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYD VQQDExJHbG9iYWxTaWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDa DuaZjc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavpxy0Sy6sc THAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp1Wrjsok6Vjk4bwY8iGlb Kk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdGsnUOhugZitVtbNV4FpWi6cgKOOvyJBNP c1STE4U6G7weNLWLBYy5d4ux2x8gkasJU26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrX gzT/LCrBbBlDSgeF59N89iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0BAQUF AAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOzyj1hTdNGCbM+w6Dj Y1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE38NflNUVyRRBnMRddWQVDf9VMOyG j/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymPAbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhH hm4qxFYxldBniYUr+WymXUadDKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveC X4XSQRjbgbMEHMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== -----END CERTIFICATE----- <span class="high italic">8< snip 8<</span> </div> <p> The WASD OpenSSL package provides an example CA verification file. The exact date and source can be found in the opening commentary of the file itself. The contents of this file easily can be pared down to the minimum certificates required for any given site. <p> The bundle may be refreshed at any time using any reliable source. The cURL project provides such a resource suitable for its own use, Apache mod_ssl and WASD. This is sourced from the root certificates used by the Mozilla Foundation for its Firefox product (and others). Mozilla uses a non-PEM format source which must be converted before use by WASD. The cURL site provides this already converted for use with its own utility and made available as a general resource. <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="http://curl.haxx.se/">http://curl.haxx.se/</a> <li class="item"> <a class="link blank" target="_blank" href="http://curl.haxx.se/docs/caextract.html">http://curl.haxx.se/docs/caextract.html</a> </ul> <p> Download the bundle using a command-line tool as in this example <div class="blockof code">$ curl -o ca-bundle_crt.txt https://curl.haxx.se/ca/cacert.pem </div> or as a save-as dialogue click from your favourite browser and then a transfer onto the VMS system. <ul class="list simple"> <li class="item"> <a class="link blank" target="_blank" href="https://curl.haxx.se/ca/cacert.pem">https://curl.haxx.se/ca/cacert.pem</a> </ul> <a id="4.5.18" href="#"></a> <a id="4.5.18.x509authorizationcgivariables" href="#"></a> <a id="x509authorizationcgivariables" href="#"></a> <h3 class="head"><span class="numb">4.5.18</span><span class="text">X.509 Authorization CGI Variables</span></h3> <p> CGI variables specific to client certificate authorization are always generated for use by scripts and SSI documents. These along with the general WASD authorization variables are shown in the example below. Note, that due to length of particular items some in this example are displayed wrapped. <div class="blockof code">WWW_AUTH_ACCESS == "READ+WRITE" WWW_AUTH_GROUP == "" WWW_AUTH_REALM == "X509" WWW_AUTH_REALM_DESCRIPTION == "X509 Client Certs" WWW_AUTH_TYPE == "X509" WWW_AUTH_USER == "Mark Daniel, mark.daniel@wasd.vsm.com.au" WWW_AUTH_X509_CIPHER == "RC4-MD5" WWW_AUTH_X509_FINGERPRINT == "10:6C:83:42:89:0A:17:03:AA:A5:17:31:7B:14:5B:F7" WWW_AUTH_X509_ISSUER == "/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. By Ref.,LIAB.LTD(c)98/CN=VeriSign Class 1 CA Individual Subscriber-Persona Not Validated" WWW_AUTH_X509_KEYSIZE == "128" WWW_AUTH_X509_SUBJECT == "/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98/OU=Persona Not Validated/OU=Digital ID Class 1 - Netscape /CN=Mark Daniel/Email=mark.daniel@wasd.vsm.com.au" WWW_REMOTE_USER == "106C8342890A1703AAA517317B145BF7" </div> <p> Other CGI variables optionally may be enabled using WASD_CONFIG_MAP mapping rules. See <a class="link" href="#4.5.18.x509authorizationcgivariables">4.5.18 X.509 Authorization CGI Variables</a>. Specific client certificate variables providing the details of such certificates are available with SSLCGI=apache_mod_ssl. These are of course in addition to the more general apache_mod_ssl variables described in the above section. Note that where some ASN.1 records are duplicated (as in SSL_CLIENT_S_DN) some variables will contain newline characters (0x10) between those elements (e.g. SSL_CLIENT_S_DN_OU). The line breaks in this example do not necesarily reflect those characters. <div class="blockof code"> WWW_SSL_CIPHER == "TLS_AES_256_GCM_SHA384" WWW_SSL_CIPHER_ALGKEYSIZE == "256" WWW_SSL_CIPHER_USEKEYSIZE == "256" WWW_SSL_PROTOCOL == "TLSv1.3" WWW_SSL_SERVER_A_KEY == "rsaEncryption" WWW_SSL_SERVER_A_SIG == "sha256WithRSAEncryption" WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS == "OCSP - URI:http://ocsp.int-x3.letsencrypt.org.CA Issuers 8< snip 8< WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS_URI == "http://ocsp.int-x3.letsencrypt.org" WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS_URI__2 == "http://cert.int-x3.letsencrypt.org/" WWW_SSL_SERVER_E_CT_PRECERTIFICATE_SCTS == "Signed Certificate Timestamp:. Version : v1 (0x0). Log ID : 8< snip 8< WWW_SSL_SERVER_E_X509V3_AUTHORITY_KEY_IDENTIFIER == "keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1." WWW_SSL_SERVER_E_X509V3_AUTHORITY_KEY_IDENTIFIER_KEYID == "A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1" WWW_SSL_SERVER_E_X509V3_BASIC_CONSTRAINTS == "CA:FALSE" WWW_SSL_SERVER_E_X509V3_BASIC_CONSTRAINTS_CA == "FALSE" WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES == "Policy: 2.23.140.1.2.1.Policy: 1.3.6.1.4.1.44947.1.1.1. 8< snip 8< WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_CPS == " http://cps.letsencrypt.org" WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_POLICY == " 2.23.140.1.2.1" WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_POLICY__2 == " 1.3.6.1.4.1.44947.1.1.1" WWW_SSL_SERVER_E_X509V3_EXTENDED_KEY_USAGE == "TLS Web Server Authentication, TLS Web Client Authentication" WWW_SSL_SERVER_E_X509V3_KEY_USAGE == "Digital Signature, Key Encipherment" WWW_SSL_SERVER_E_X509V3_SAN == "dNSName:the.host.name..dNSName:the.host.name" WWW_SSL_SERVER_E_X509V3_SUBJECT_ALTERNATIVE_NAME == "dNSName:the.host.name..dNSName:the.host.name" WWW_SSL_SERVER_E_X509V3_SUBJECT_KEY_IDENTIFIER == "4E:6A:0B:56:F0:EF:1B:1E:71:E1:33:53:A0:39:32:D3:0C:D6:3C:0C" WWW_SSL_SERVER_I_DN == "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3" WWW_SSL_SERVER_I_DN_C == "US" WWW_SSL_SERVER_I_DN_CN == "Let's Encrypt Authority X3" WWW_SSL_SERVER_I_DN_O == "Let's Encrypt" WWW_SSL_SERVER_M_SERIAL == "03AC67E421D5E26AA843A14F50343FEB1F84" WWW_SSL_SERVER_M_VERSION == "3" WWW_SSL_SERVER_S_DN == "/CN=the.host.name" WWW_SSL_SERVER_S_DN_CN == "the.host.name" WWW_SSL_SERVER_V_END == "Jul 17 13:50:24 2020 GMT" WWW_SSL_SERVER_V_START == "Apr 18 13:50:24 2020 GMT" WWW_SSL_SESSION_ID == "533d71a813a1ee8c5c68ae30c4cd05ac3b673ee9b04ac04567cad18418730dfe" WWW_SSL_TLS_ALPN == "h2" WWW_SSL_TLS_SNI == "the.host.name" WWW_SSL_VERSION_INTERFACE == "HTTPd-WASD/11.5.0 OpenVMS/AXP SSL" WWW_SSL_VERSION_LIBRARY == "OpenSSL 1.1.1c 28 May 2019" </div> <a id="4.6" href="#"></a> <a id="4.6.certificatemanagement" href="#"></a> <a id="certificatemanagement" href="#"></a> <h2 class="head"><span class="numb">4.6</span><span class="text">Certificate Management</span></h2> <p> This is not a tutorial on X.509 certificates and their management. Refer to the listed references, <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>, for further information on this aspect. It does provide some basic guidelines. <p> Certificates identify something or someone, associating a public cryptographic key with the identity of the certificate holder. It includes a distinguished name, identification and signature of the certificate authority (CA, the issuer and guarantor of the certificate), and the period for which the certificate is valid, possibly with other, additional information. <p> The three types of certificates of interest here should not be confused. <ul class="list"> <li class="item"> <span class="high bold">CA – </span> The Certificate Authority identifies the <span class="high italic">authority</span>, or organization, that issues a certificate. <li class="item"> <span class="high bold">Server – </span> Identifies a particular end-service. Its value as an guarantee of identity is founded in the <span class="high italic">authority</span> of the organization that issues the certificate. It is the certificate specified to the server at startup. <li class="item"> <span class="high bold">Client – </span> Identifies a particular client to a server via SSL (client authentication). Typically, the identity of the client is assumed to be the same as the identity of a human being. Again, its value as an guarantee of identity is founded in the <span class="high italic">authority</span> of the organization that issues the certificate. </ul> <p> The various OpenSSL tools are available for management of all of these certificate types in each of the three SSL environments. <ul class="list"> <li class="item"> The VSI SSL111 product provides the "SSL Certificate Tool" procedure can be used to perform most required certificate management tasks from a menu-driven interface. <div class="blockof code">$ @SSL111$COM:SSL111$CERT_TOOL.COM <span class="high bold">SSL Certificate Tool</span> <span class="high bold">Main Menu</span> 1. View a Certificate 2. View a Certificate Signing Request 3. Create a Certificate Signing Request 4. Create a Self-Signed Certificate 5. Create a CA (Certification Authority) Certificate 6. Sign a Certificate Signing Request 7. Revoke a Certificate 8. Create a Certificate Revocation List 9. Hash Certificates 10. Hash Certificate Revocations 11. Exit Enter Option: </div> <li class="item"> The standard OpenSSL toolkit provides a number of command-line tools for creation and management of X.509 certificates. <li class="item"> Or if you prefer something a little less arcane than the (ever so useful) command-line <div class="note"> <a id="4.6.0.0.1" href="#"></a> <a id="4.6.notreallyanendorsementbut" href="#"></a> <a id="notreallyanendorsementbut" href="#"></a> <h5 class="head center"><span class="text">not really an endorsement but</span></h5> <hr class="note_hr"> <p> XCA is a <span class="high bold">GUI application</span> intended for creating and managing X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smartcards and CRLs. It uses the OpenSSL library for the cryptographic operations. The application is available for Linux, macOS and Windows, as well as source code. <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="https://hohnstaedt.de/xca">https://hohnstaedt.de/xca</a> <li class="item"> <a class="link blank" target="_blank" href="https://sourceforge.net/projects/xca/">https://sourceforge.net/projects/xca/</a> </ul> <hr class="note_hr"> </div> </ul> <a id="4.6.1" href="#"></a> <a id="4.6.1.servercertificate" href="#"></a> <a id="servercertificate" href="#"></a> <h3 class="head"><span class="numb">4.6.1</span><span class="text">Server Certificate</span></h3> <p> The server uses a certificate to establish its identity during the initial phase of the SSL protocol exchange. Each server should have a unique certificate. An example certificate is provided with the WASD OpenSSL package. If this is not available (for instance when using the VSI SSL111 product) then the server will fallback to an internal, default certificate that allows SSL functionality even when no external certification is available. If a "live" SSL site is required a unique certificate issued by a third-party Certificate Authority is desirable. <div class="note"> <a id="4.6.1.0.1" href="#"></a> <a id="4.6.1.letsencrypt" href="#"></a> <a id="letsencrypt" href="#"></a> <h5 class="head center"><span class="text">Let's Encrypt</span></h5> <hr class="note_hr"> Self-signing certificates as described below has a number of shortcomings for general web server certification. Fortunately <span class="high bold">Let's Encrypt</span> makes it possible automatically to obtain and maintain a browser-trusted certificate, simply, and <span class="high bold">at no cost</span>. This is accomplished by running a certificate management agent on the web server. The <span class="high under">WASD Certificate Management Environment</span> (wuCME) may be used to perform this function on VMS. <p> See <span class="high bold">wuCME</span> on the WASD download page at <a class="link blank" target="_blank" href="https://wasd.vsm.com.au/wasd/#wucme">https://wasd.vsm.com.au/wasd/</a> <hr class="note_hr"> </div> <a id="4.6.1.0.2" href="#"></a> <a id="4.6.1.selfsignedcertificates" href="#"></a> <a id="selfsignedcertificates" href="#"></a> <h5 class="head"><span class="text">Self-Signed Certificates</span></h5> <p> A less satisfactory alternative to obtaining one of these certificates is provided by the WASD support DCL procedures, which are quick hacks to ease the production of certificates on an ad hoc basis. In all cases it is preferable to directly use the utilities provided with OpenSSL, but the documentation tends to be rather sparse. <p> The VSI <span class="high monosp">SSL111$COM:SSL111$CERT_TOOL.COM</span> described above can create self-signed certificates. <p> <span class="high bold under">Also note that the WASD server dynamically generates a self-signed certificate</span> for TLS services that otherwise do not have a configured server certificate. This is largely for testing a server immediately after installation (e.g. using <span class="high bold">@WASD_ROOT:[INSTALL]DEMO SSL</span> at the command-line). This certificate suffers all the short-comings of self-signed certificates with modern browsers (post-2019) but is better than no certificate all all. Interestingly, <span class="high bold">Incognito/[In]Private instances</span> of a browser are often more relaxed about accepting certificates with recognised security deficiencies (e.g. unknown Certificate Authority signing). At least at the time of writing. <a id="4.6.1.0.3" href="#"></a> <a id="4.6.1.loadingauthoritycertificates" href="#"></a> <a id="loadingauthoritycertificates" href="#"></a> <h5 class="head"><span class="text">Loading Authority Certificates</span></h5> <p> The first requirement may be a tailored "Certificate Authority" certificate. As the Certificate Authority is non-authoritative (not trying to be too oxymoronic, i.e. not a well-known CA) these certificates have little value except to allow SSL transactions to be established with trusting clients. More commonly "Server Certificates" for specific host names are required. <p> CA certificates can be loaded into browsers to allow sites using that CA to be accessed by that browser without further dialog. Browsers commonly invoke a server certificate load dialog when encountering a site using a valid but unknown server certificate. <p> A manual load is accomplished by requesting the certificate in a format appropriate to the particular browser. This triggers a browser dialog with the user to confirm or refuse the loading of that certificate into the browser Certificate Authority database. <p> To facilitate loading CA certificates into a browser ensure the following entries are contained in the HTTP$CONFIG configuration file: <div class="blockof code">[AddIcon] /httpd/-/binary.gif [BIN] application/x-x509-ca-cert [AddType] .CRT application/x-x509-ca-cert - DER certifcate (MSIE) .PEM application/x-x509-ca-cert - Privacy Enhanced Mail certificate </div> <p> Then just provide a link to the required certificate file(s), and click. <a id="4.6.1.0.4" href="#"></a> <a id="4.6.1.changingservercertificates" href="#"></a> <a id="changingservercertificates" href="#"></a> <h5 class="head"><span class="text">Changing Server Certificates</span></h5> <p> If a site's server (or CA certificate) is changed and the server restarted any executing browsers will probably complain (Netscape Navigator reports an I/O error). In this case open the browser's certificate database and delete any relevant, permanently stored certificate entry, then close and restart the browser. The next access should initiate the server certificate dialog, or the CA certificate may be explicitly reloaded. <a id="4.6.2" href="#"></a> <a id="4.6.2.certificatesigningrequest" href="#"></a> <a id="certificatesigningrequest" href="#"></a> <h3 class="head"><span class="numb">4.6.2</span><span class="text">Certificate Signing Request</span></h3> <p> Recognised Certificate Authorities (CAs) such as Thawte and VeriSign publish lists of requirements for obtaining a server certificate. These often include such documents required to prove organisational name and the right to use the domain name being requested. Check the particular vendor for the exact requirements. <p> In addition, a document containing the site's private key is required. This is known as the Certificate Signing Request (CSR) and must be generated digitally at the originating site. <p> Using the VSI SSL111 for OpenVMS product "SSL Certificate Tool" described in <a class="link" href="#4.6.certificatemanagement">4.6 Certificate Management</a> a CSR can easily be generated using its menu-driven interface. The alternative is using a command-line interface tool. <p> The following instructions provide the basics for generating a CSR at the command-line in the WASD and generally the any OpenSSL environment (including the VSI SSL111 for OpenVMS product). <ol class="list"> <li class="item"> Change to a secure directory. The following is a suggestion. <div class="blockof code">$ SET DEFAULT WASD_ROOT:[LOCAL] </div> <li class="item"> Assign a foreign verb for the OPENSSL application. The location may vary a little depending on which OpenSSL package you have installed. See <a class="link" href="#4.4.opensslexeapplication">4.4 OPENSSL.EXE Application</a>. <li class="item"> Specify a source of lots of "random" data (can be any big file for the purposes of this exercise). <div class="blockof code">$ RANDFILE = "WASD_EXE:HTTPD_SSL.EXE" </div> <li class="item"> Find the template configuration file. You will need to specify this location in a step described below. Should be something like the following. <div class="blockof code">WASD_ROOT:[SRC.OPENSSL-<span class="high italic">version</span>.WASD]TEMPLATE.CNF </div> <li class="item"> Generate your private key (RANDFILE data is used by this). The output from this looks something like what's shown. Notice the pass phrase prompts. <span class="high bold">This is your private key, don't forget it!</span> <div class="blockof code">$ OPENSSL GENRSA -DES3 -OUT SERVER.KEY 1024 Generating RSA private key, 1024 bit long modulus .....++++++ ......++++++ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: </div> <li class="item"> Generate the Certificate Signing Request using syntax similar to the following (this is where you are required to specify the location of the configuration template). Note that there are quite a few fields - <span class="high bold">GET THEM RIGHT!</span> They need to be unique and local - they're your distinguishing name (DN). "Common Name" is the host you want the certificate for. It can be a fully qualifier host name (e.g. "klaatu.local.net"), or a local <span class="high italic">wildcard</span> (e.g. "*.local.net") for which you may pay more. <div class="blockof code">$ OPENSSL REQ -NEW -KEY SERVER.KEY -OUT SERVER.CSR -CONFIG - WASD_ROOT:[SRC.OPENSSL-0_9_6B.WASD]TEMPLATE.CNF Using configuration from template.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:AU State or Province Name (full name) [Some-State]:South Australia Locality Name (eg, city) []:Adelaide Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organizational Unit Name (eg, section) []:WASD Common Name (eg, YOUR name) []:klaatu.local.net Email Address []:Mark.Daniel@wasd.vsm.com.au Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: </div> <li class="item"> That's it! You should have two files in your default directory. <div class="blockof code">SERVER.CSR;1 2 14-MAR-2002 04:38:26.15 SERVER.KEY;1 2 14-MAR-2002 04:31:38.76 </div> <p> Keep the SERVER.KEY file secure. You'll need it when you receive the certificate back from the CA. <p> The SERVER.CSR is what you send to the CA (usually by mail or Web form). It looks something like the following <div class="blockof code">$ TYPE SERVER.CSR -----BEGIN CERTIFICATE REQUEST----- MIIBPTCB6AIBADCBhDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2Fw ZTESMBAGA1UEBxMJQ2FwZSBUb3duMRQwEgYDVQQKEwtPcHBvcnR1bml0aTEYMBYG A1UECxMPT25saW5lIFNlcnZpY2VzMRowGAYDVQQDExF3d3cuZm9yd2FyZC5jby56 YTBaMA0GCSqGSIb3DQEBAQUAA0kAMEYCQQDT5oxxeBWu5WLHD/G4BJ+PobiC9d7S 6pDvAjuyC+dPAnL0d91tXdm2j190D1kgDoSp5ZyGSgwJh2V7diuuPlHDAgEDoAAw DQYJKoZIhvcNAQEEBQADQQBf8ZHIu4H8ik2vZQngXh8v+iGnAXD1AvUjuDPCWzFu pReiq7UR8Z0wiJBeaqiuvTDnTFMz6oCq6htdH7/tvKhh -----END CERTIFICATE REQUEST----- </div> <p> You can see the details of this file using <div class="blockof code">$ OPENSSL RSA -NOOUT -TEXT -IN SERVER.CSR </div> </ol> <a id="4.6.2.0.1" href="#"></a> <a id="4.6.2.afterreceivingthecertificate" href="#"></a> <a id="afterreceivingthecertificate" href="#"></a> <h5 class="head"><span class="text">After Receiving The Certificate</span></h5> <p> Once the signed certificate has been issued by the Certificate Authority it can be placed directly into the server configuration directory, usually WASD_ROOT:[LOCAL], and configured for use from there. Using the certificate direct from the CA requires that the private key password be given to the server each time (<a class="link" href="#4.5.9.sslprivatekey">4.5.9 SSL Private Key</a>). It is possible to embed the password into the certificate key so that this is not required. <p> <span class="high bold">Remember to keep original files secure, only work on copies!</span> <ol class="list"> <li class="item"> Assign a foreign verb for the OPENSSL application. The location may vary a little depending on which OpenSSL package you have installed. <div class="blockof code">$ OPENSSL == "$WASD_ROOT:[SRC.OPENSSL-<span class="high italic">version</span>.AXP.EXE.APPS]OPENSSL.EXE" </div> <p> When using the VSI SSL111 product or other OpenSSL toolkit the verb may already be available. <div class="blockof code">$ SHOW SYMBOL OPENSSL OPENSSL == "$ SSL111$EXE:OPENSSL" </div> <li class="item"> Go to wherever you want to do the work. <div class="blockof code">$ SET DEFAULT WASD_ROOT:[LOCAL] </div> <li class="item"> You may require these additional steps (based on user experience): <ul class="list"> <li class="item"> VeriSign sent certificate with headers like this: <div class="blockof code">-----BEGIN PKCS #7 SIGNED DATA----- -----END PKCS #7 SIGNED DATA----- </div> <p> Using an editor, ensure the header/trailer looks this: <div class="blockof code">-----BEGIN PKCS7----- -----END PKCS7----- </div> <li class="item"> Then into the required intermediate format: <div class="blockof code">$ OPENSSL pkcs7 -print_certs -in SERVER.CERT -outform DER -out CERTIFICATE.PEM </div> <li class="item"> A <span class="high italic">readable</span> version of the new file can be viewed using: <div class="blockof code">$ OPENSSL x509 -noout -text -in CERTIFICATE.PEM </div> </ul> <li class="item"> Using the original key file embed your password into a copy. When prompted "Enter PEM pass phrase:" enter the password. <div class="blockof code">$ OPENSSL rsa -in SERVER.KEY -out WORK.PEM </div> <li class="item"> Append this password-embedded key file to your certificate file. <div class="blockof code">$ COPY CERTIFICATE.PEM,WORK.PEM CERTIFICATE.PEM;0 </div> <li class="item"> Delete the temporary file. <div class="blockof code">$ DELETE WORK.PEM;* </div> </ol> <a id="4.7" href="#"></a> <a id="4.7.sslcgivariables" href="#"></a> <a id="sslcgivariables" href="#"></a> <h2 class="head"><span class="numb">4.7</span><span class="text">SSL CGI Variables</span></h2> <p> CGI variables specific to SSL transactions optionally may be enabled using WASD_CONFIG_MAP mapping rules. (See <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). The may be done on a specific per-path or general CGI basis. In the following examples, due to length of particular items, some in this example are displayed wrapped. Also, where some ASN.1 records are duplicated (as in SSL_CLIENT_S_DN), some variables will contain newline characters (0x10) between those elements (e.g. SSL_CLIENT_S_DN_OU). The line breaks in the examples do not necesarily reflect those characters. <a id="4.7.0.0.1" href="#"></a> <a id="4.7.setpathsslcgiapachemodssl" href="#"></a> <a id="setpathsslcgiapachemodssl" href="#"></a> <h5 class="head"><span class="text">set /path/* SSLCGI=apache_mod_ssl</span></h5> <p> <div class="blockof code"> WWW_SSL_CIPHER == "TLS_AES_256_GCM_SHA384" WWW_SSL_CIPHER_ALGKEYSIZE == "256" WWW_SSL_CIPHER_USEKEYSIZE == "256" WWW_SSL_PROTOCOL == "TLSv1.3" WWW_SSL_SERVER_A_KEY == "rsaEncryption" WWW_SSL_SERVER_A_SIG == "sha256WithRSAEncryption" WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS == "OCSP - URI:http://ocsp.int-x3.letsencrypt.org.CA Issuers 8< snip 8< WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS_URI == "http://ocsp.int-x3.letsencrypt.org" WWW_SSL_SERVER_E_AUTHORITY_INFORMATION_ACCESS_URI__2 == "http://cert.int-x3.letsencrypt.org/" WWW_SSL_SERVER_E_CT_PRECERTIFICATE_SCTS == "Signed Certificate Timestamp:. Version : v1 (0x0). Log ID : 8< snip 8< WWW_SSL_SERVER_E_X509V3_AUTHORITY_KEY_IDENTIFIER == "keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1." WWW_SSL_SERVER_E_X509V3_AUTHORITY_KEY_IDENTIFIER_KEYID == "A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1" WWW_SSL_SERVER_E_X509V3_BASIC_CONSTRAINTS == "CA:FALSE" WWW_SSL_SERVER_E_X509V3_BASIC_CONSTRAINTS_CA == "FALSE" WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES == "Policy: 2.23.140.1.2.1.Policy: 1.3.6.1.4.1.44947.1.1.1. 8< snip 8< WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_CPS == " http://cps.letsencrypt.org" WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_POLICY == " 2.23.140.1.2.1" WWW_SSL_SERVER_E_X509V3_CERTIFICATE_POLICIES_POLICY__2 == " 1.3.6.1.4.1.44947.1.1.1" WWW_SSL_SERVER_E_X509V3_EXTENDED_KEY_USAGE == "TLS Web Server Authentication, TLS Web Client Authentication" WWW_SSL_SERVER_E_X509V3_KEY_USAGE == "Digital Signature, Key Encipherment" WWW_SSL_SERVER_E_X509V3_SAN == "dNSName:the.host.name..dNSName:the.host.name" WWW_SSL_SERVER_E_X509V3_SUBJECT_ALTERNATIVE_NAME == "dNSName:the.host.name..dNSName:the.host.name" WWW_SSL_SERVER_E_X509V3_SUBJECT_KEY_IDENTIFIER == "4E:6A:0B:56:F0:EF:1B:1E:71:E1:33:53:A0:39:32:D3:0C:D6:3C:0C" WWW_SSL_SERVER_I_DN == "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3" WWW_SSL_SERVER_I_DN_C == "US" WWW_SSL_SERVER_I_DN_CN == "Let's Encrypt Authority X3" WWW_SSL_SERVER_I_DN_O == "Let's Encrypt" WWW_SSL_SERVER_M_SERIAL == "03AC67E421D5E26AA843A14F50343FEB1F84" WWW_SSL_SERVER_M_VERSION == "3" WWW_SSL_SERVER_S_DN == "/CN=the.host.name" WWW_SSL_SERVER_S_DN_CN == "the.host.name" WWW_SSL_SERVER_V_END == "Jul 17 13:50:24 2020 GMT" WWW_SSL_SERVER_V_START == "Apr 18 13:50:24 2020 GMT" WWW_SSL_SESSION_ID == "533d71a813a1ee8c5c68ae30c4cd05ac3b673ee9b04ac04567cad18418730dfe" WWW_SSL_TLS_ALPN == "h2" WWW_SSL_TLS_SNI == "the.host.name" WWW_SSL_VERSION_INTERFACE == "HTTPd-WASD/11.5.0 OpenVMS/AXP SSL" WWW_SSL_VERSION_LIBRARY == "OpenSSL 1.1.1c 28 May 2019" </div> <p> The Apache <span class="high italic">mod_ssl</span> client certificate details described in <a class="link" href="#4.5.18.x509authorizationcgivariables">4.5.18 X.509 Authorization CGI Variables</a> above are not shown in the above example but would be included if the request was X.509 authenticated. <p> X509 certificate extensions are in general visible from WATCH and accessible via CGI variables when enabled using SET <span class="high italic">SSLCGI=apache_mod_ssl_extens</span> and <span class="high italic">SSLCGI=apache_mod_ssl_client</span> path mappings. <a id="4.8" href="#"></a> <a id="4.8.sslserviceevaluation" href="#"></a> <a id="sslserviceevaluation" href="#"></a> <h2 class="head"><span class="numb">4.8</span><span class="text">SSL Service Evaluation</span></h2> <p> This section is just the barest introduction to a significant topic. <a id="4.8.0.0.1" href="#"></a> <a id="4.8.qualysssllab" href="#"></a> <a id="qualysssllab" href="#"></a> <h5 class="head"><span class="text">Qualys SSL Lab</span></h5> <p> "How well do you know SSL? If you want to learn more about the technology that protects the Internet, you've come to the right place." <p class="indent"> <a class="link blank" target="_blank" href="https://www.ssllabs.com/">https://www.ssllabs.com/</a> <p> Not necessarily an endorsement by WASD but a useful resource in itself. <p> Provides a <span class="high italic">free and unencumbered</span>, comprehensive SSL Server test service <p class="indent"> <a class="link blank" target="_blank" href="https://www.ssllabs.com/ssltest/">https://www.ssllabs.com/ssltest/</a> <p> reporting on certificate status, protocol version, cipher suites, handshakes with various simulated clients, and protocol details including known vulnerabilities. It also summarises the report with a colour-coded rating. <a id="4.8.0.0.2" href="#"></a> <a id="4.8.athome" href="#"></a> <a id="athome" href="#"></a> <h5 class="head"><span class="text">At Home</span></h5> <p> So to speak. <p> The OPENSSL command-line application (<a class="link" href="#4.4.opensslexeapplication">4.4 OPENSSL.EXE Application</a>) provides a configurable client for checking and testing various aspects of server configuration and behaviour. The basic operation represented by the command-line <div class="blockof code">$ openssl s_client -host <span class="high left italic">host name or address></span> -port 443 </div> provides a comprehensive report including certificates and certificate chain, the protocol version and cipher negotiated, along with more esoteric elements of TLS/SSL. Some data have been 8< snipped 8< for brevity in the following example. <div class="blockof code">$ openssl s_client -host klaatu.private -port 443 WARNING: can't open config file: SSLROOT:[000000]openssl.cnf CONNECTED(00000003) depth=0 C = AU, ST = SA, L = Adelaide, O = WASD Server Cert, OU 8< snip 8< verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 C = AU, ST = SA, L = Adelaide, O = WASD Server Cert, OU 8< snip 8< verify error:num=27:certificate not trusted verify return:1 depth=0 C = AU, ST = SA, L = Adelaide, O = WASD Server Cert, OU 8< snip 8< verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=AU/ST=SA/L=Adelaide/O=WASD Server Cert/OU=OpenSSL 1.0.1 8< snip 8< i:/C=AU/ST=SA/L=Adelaide/O=WASD CA Cert/OU=OpenSSL 1.0.1j Te 8< snip 8< --- Server certificate -----BEGIN CERTIFICATE----- MIIFsjCCBJqgAwIBAgIBBDANBgkqhkiG9w0BAQQFADCBtjELMAkGA1UEBhMCQVUx 8< snip 8< pErvrfr69iDbJbhO+mRmIkZIXHc5CFV/M1zzLD5240ixxu/d6nAUBhGba0W4Kste x1SgLJ0BqFTjegxuHRXkK5lOlY11Hw== -----END CERTIFICATE----- subject=/C=AU/ST=SA/L=Adelaide/O=WASD Server Cert/OU=OpenSSL 1. 8< snip 8< issuer=/C=AU/ST=SA/L=Adelaide/O=WASD CA Cert/OU=OpenSSL 1.0.1j 8< snip 8< --- No client certificate CA names sent --- SSL handshake has read 1791 bytes and written 625 bytes ---<span style="background-color:yellow"> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit</span> Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session:<span style="background-color:yellow"> Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384</span> Session-ID: 61FEC1629DA3E675AA124223CDB9CB5AB7701D872E85E15 8< snip 8< Session-ID-ctx: Master-Key: F4260DFE9A7370B3EA85D22D89DB8A7925C655159C3C509 8< snip 8< Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 63 d6 2a 84 19 fe f6 9a-13 60 e1 8a 65 dd f9 fc c.*......`..e... 8< snip 8< 00a0 - 9a 2d 29 9b 8e aa ab 69-11 0d 45 ed 63 48 f5 4f .-)....i..E.cH.O Start Time: 1415828121 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) --- 8< snip 8< </div> <p> A "bad select 38" is a VMS (C-RTL) limitation of earlier versions of OpenSSL and is not present in later versions or on other platforms, and the default use of -s_client will prompt for an HTTP request line, send that to the server, and report the response. <p> Checking whether a specific protocol version is enabled on a site: <div class="blockof code">$ openssl s_client -ssl2 -host <span class="high left italic">host name or address></span> -port 443 $ openssl s_client -ssl3 -host <span class="high left italic">host name or address></span> -port 443 $ openssl s_client -tls1 -host <span class="high left italic">host name or address></span> -port 443 $ openssl s_client -tls1_1 -host <span class="high left italic">host name or address></span> -port 443 $ openssl s_client -tls1_2 -host <span class="high left italic">host name or address></span> -port 443 $ openssl s_client -tls1_3 -host <span class="high left italic">host name or address></span> -port 443 </div> <p> The following example shows a server test where the protocol version is NOT supported. <div class="blockof code">$ openssl s_client -ssl3 -host klaatu.private -port 443 8< snip 8< SSL handshake has read 7 bytes and written 0 bytes ---<span style="background-color:yellow"> New, (NONE), Cipher is (NONE)</span> Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session:style="background-color:yellow"> Protocol : SSLv3 Cipher : 0000</span> 8< snip 8< </div> <a id="4.8.0.0.3" href="#"></a> <a id="4.8.tlsversion13" href="#"></a> <a id="tlsversion13" href="#"></a> <h5 class="head"><span class="text">TLS Version 1.3</span></h5> <a id="4.8.0.0.3.1" href="#"></a> <a id="4.8.testtlsversion13" href="#"></a> <a id="testtlsversion13" href="#"></a> <h6 class="head display0"><span class="text">test TLS Version 1.3</span></h6> <p> Server TLSv1.3 response may be checked using an OPENSSL.EXE v1.1.1 or later. <div class="blockof code">$ OPENSSL version OpenSSL 1.1.1 11 Sep 2018 $ OPENSSL s_client --host wasd.xxxxxxxxxx.xxx --port 443 CONNECTED(00000003) depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:CN = wasd.xxxxxxxxx.xxx i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIHJDCCBgygAwIBAgISA8gmjxQDyTgXeAfy7ehpvXeBMA0GCSqGSIb3DQEBCwUA 8< snip 8< rL2n3YpsP2xuCwV6ZT+etAl1IrtmXuC9tnG2QRVtVJn7wyUacUTz3XuKagS9w6Bo be0oPuGGnT0= -----END CERTIFICATE----- subject=CN = wasd.xxxxxxxxx.xxx issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3827 bytes and written 393 bytes Verification error: unable to get local issuer certificate --- <span style="background-color:yellow"> New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384</span> Server public key is 4096 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 20 (unable to get local issuer certificate) --- --- Post-Handshake New Session Ticket arrived: SSL-Session: <span style="background-color:yellow"> Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384</span> Session-ID: 0074FBDFD12EF693B0419611204FF9EC6BFA3C006A2A7D312A9435CF7D79FE3A Session-ID-ctx: Resumption PSK: 3176C237B08F4E83B7AC32CBC79C8B79CC8FBA20837419682C4A97998898ECDE13F5254E0820C977AEC0B63C9B4B21C8 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 5400 (seconds) TLS session ticket: 0000 - a7 99 08 ba aa 75 1d 53-68 c4 66 fb 5e 43 5e b2 .....u.Sh.f.^C^. 8< snip 8< 00d0 - 5d a5 3c 10 5e 4c 41 4b-bb 15 c9 5c 08 fe e1 1f ].<.^LAK...\.... Start Time: 1537620807 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: <span style="background-color:yellow"> Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384</span> Session-ID: 8DB922A11FD02889CED45C4D125C5A55B5F76B42B49826EF39CA265988FA4FA9 Session-ID-ctx: Resumption PSK: 60F73CE06DDDA5737B607A20DF7E13D85CBFFD695DB98B53B9AF09A0DABE6B34A0F50F86E2578845F1E0EA799B014B42 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 5400 (seconds) TLS session ticket: 0000 - a7 99 08 ba aa 75 1d 53-68 c4 66 fb 5e 43 5e b2 .....u.Sh.f.^C^. 8< snip 8< 00d0 - 92 32 8d 2c 9c 22 54 b1-6e 24 9a c3 de 1a de a2 .2.,."T.n$...... Start Time: 1537620807 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK read:errno=0 </div> <a id="4.9" href="#"></a> <a id="4.9.sslreferences" href="#"></a> <a id="sslreferences" href="#"></a> <h2 class="head"><span class="numb">4.9</span><span class="text">SSL References</span></h2> <p> The following provide a starting-point for investigating SSL and OpenSSL further (verified available at time of publication). <ul class="list"> <li class="item"> <a class="link blank" target="_blank" href="http://www.openssl.org/">http://www.openssl.org/</a> <br> OpenSSL Project. This site is the prime source for the full toolkit, documentation, related links, news and support via mailing lists, etc. <br> <a class="link blank" target="_blank" href="http://wiki.openssl.org/">http://wiki.openssl.org/</a> <br> OpenSSL Wiki <li class="item"> <a class="link blank" target="_blank" href="https://www.oreilly.com/library/view/high-performance-browser/9781449344757/ch04.html">https://www.oreilly.com/library/view/high-performance-browser/9781449344757/ch04.html</a> <br> Ilya Grigorik's - Transport Layer Security (TLS) <br> From the excellent <a class="link blank" target="_blank" href="https://www.oreilly.com/library/view/high-performance-browser/9781449344757/">https://www.oreilly.com/library/view/high-performance-browser/9781449344757/</a> <li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Transport_Layer_Security">http://en.wikipedia.org/wiki/Transport_Layer_Security</a> <br> Wikipedia - Transport Layer Security (SSL) <li class="item"> <a class="link blank" target="_blank" href="https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/\Transport_Layer_Protection_Cheat_Sheet.md">https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/\Transport_Layer_Protection_Cheat_Sheet.md</a> <br> OWASP Transport Layer Protection Cheat Sheet <li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/OpenSSL">http://en.wikipedia.org/wiki/OpenSSL</a> <br> Wikipedia - OpenSSL <li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Public_key_infrastructure">http://en.wikipedia.org/wiki/Public_key_infrastructure</a> <br> Wikipedia - Public-Key Infrastructure <li class="item"> <a class="link blank" target="_blank" href="https://www.ssllabs.com/">https://www.ssllabs.com/</a> <br> Qualys SSL Labs <br> <a class="link blank" target="_blank" href="https://www.ssllabs.com/ssltest/">https://www.ssllabs.com/ssltest/</a> <br> SSL Server Test <li class="item"> <a class="link blank" target="_blank" href="https://www.feistyduck.com/books/openssl-cookbook/">https://www.feistyduck.com/books/openssl-cookbook/</a> <br> OpenSSL Cookbook by Ivan Ristic (of Qualys Labs) <br> As promoted by OpenSSL.org <li class="item"> <a class="link blank" target="_blank" href="https://www.openssl.org/docs/manmaster/man1/openssl.html">https://www.openssl.org/docs/manmaster/man1/openssl.html</a> <br> <a class="link blank" target="_blank" href="https://wiki.openssl.org/index.php/Command_Line_Utilities">https://wiki.openssl.org/index.php/Command_Line_Utilities</a> <br> OPENSSL.EXE application <li class="item"> <a class="link blank" target="_blank" href="http://hohnstaedt.de/xca">http://hohnstaedt.de/xca</a> <br> <a class="link blank" target="_blank" href="https://sourceforge.net/projects/xca/">https://sourceforge.net/projects/xca/</a> <br> XCA is a GUI application intended for creating and managing X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smartcards and CRLs. </ul> <!-- source:0500_HTTP2.WASDOC --> <hr class="page"> <a id="5." href="#"></a> <a id="5.http2" href="#"></a> <a id="http2" href="#"></a> <h1 class="head"><span class="numb">5.</span><span class="text">HTTP/2</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#5.1.wasdhttp2"><span class="numb">5.1</span><span class="text">WASD HTTP/2</span></a> <tr><td><a href="#5.2.http2andperformance"><span class="numb">5.2</span><span class="text">HTTP/2 and Performance</span></a> <tr><td><a href="#5.3.http2configuration"><span class="numb">5.3</span><span class="text">HTTP/2 Configuration</span></a> <tr><td><a href="#5.3.1.globalconfiguration"><span class="numb">5.3.1</span><span class="text">Global Configuration</span></a> <tr><td><a href="#5.3.2.serviceconfiguration"><span class="numb">5.3.2</span><span class="text">Service Configuration</span></a> <tr><td><a href="#5.3.3.http2setrules"><span class="numb">5.3.3</span><span class="text">HTTP/2 Set Rules</span></a> <tr><td><a href="#5.4.http2detection"><span class="numb">5.4</span><span class="text">HTTP/2 Detection</span></a> <tr><td><a href="#5.5.http2references"><span class="numb">5.5</span><span class="text">HTTP/2 References</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#4.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#6.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> HTTP/2 is the most recent standard (RFC 7540, 2015) for implementing how HTTP is represented by, and transported between, client and server. It is not a ground-up rewrite of the established standard, HTTP/1.1 (RFC 2616, 1999). Those elements and semantics remain substantially the same. Instead HTTP/2 modifies how the data is encapsulated (framed) and transferred between agents, abstracting the complexity of this within the new protocol layer, leaving the application level largely insulated from change. As a result all existing HTTP/1.1 web-based environments should be able to continue without modification. <p> The focus of the protocol is on performance, in particular end-user perceived page rendering and web application responsiveness. With the original web use case being a relatively simple, single resource request-response, and early markup involving text with a few illustrative images, the single network connection, back-to-back request-response paradigm was simple to implement and worked well enough. In short time this moved to multiple network connections, each loading elements in parallel as the complexity and density of the individual elements on the pages increased, and to the introduction of HTTP/1.1 <span class="high italic">pipelining</span> (back-to-back requests over a single connection) in an attempt to avoid request-response-request latency. Modern web documents and applications tend to have dozens of fine-grained elements that dynamically load resources based on the content of the page and/or user interaction. The single, then multiple network connections, each with its round-trip TCP connection establishment overhead and request-response blocking of resources, did not scale effectively. HTTP/2 replaces it with a single TCP connection on which multiple resources concurrently can be requested, pushed, and transferred. A more rigorous and effective implementation of the pipeline concept. <p> While multiplexing communication over a single network connection is a core performance technology there are other contributing elements. The framing layer uses binary tokens and parameters. The plain-text request and response headers of HTTP/1.<span class="high italic">n</span> are replaced with tokenised, encoded and dynamically cached equivalents, commonly providing compression in excess of eighty percent. The relationship and priority of resources can be established allowing inferior resources to be delivered after or dependent on superior ones. The HTTP/2 server can send multiple responses to a single request. Known as <span class="high italic">server push</span> it can be used to pre-load the browser (cache) with resources it has not encountered yet. <p> HTTP/2 has the potential to place additional load on the client and server in comparison to HTTP/1.<span class="high italic">n</span>. One particular consideration for WASD sites is the <span class="high italic">stream concurrency</span> setting of the HTTP/2 connection. The server specifies to the client the maximum number of concurent request-response (and server push) <span class="high italic">streams</span> it will accept. RFC 7540 contains, "This limit is directional: it applies to the number of streams that the sender permits the receiver to create. Initially, there is no limit to this value. It is recommended that this value be no smaller than 100, so as to not unnecessarily limit parallelism." This translates to a hypothetical ten browsers connected to the site each with up to one hundred concurrent streams, or potentially one thousand active requests! Time to check those server configuration and SYSGEN parameters… <p> Note that HTTP/1.1 has recently been revisited with RFC 7230 family of specifications (2014) providing some clarifications and refinements on the original. <a id="5.1" href="#"></a> <a id="5.1.wasdhttp2" href="#"></a> <a id="wasdhttp2" href="#"></a> <h2 class="head"><span class="numb">5.1</span><span class="text">WASD HTTP/2</span></h2> <p> WASD HTTP/2 implements all of the essential requirements of RFC 7540 (naturally enough). This includes the framing protocol, datagram (message) and stream management, header compression (RFC 7541), connection settings and flow control, along with HTTP/2 connection establishment and termination (TLS ALPN and HTTP upgrade). It does not ((perhaps) currently) provide server-push or stream prioritisation and dependency. <p> Prior to the introduction of HTTP/2, WASD's fundamental abstraction was the request, with each request interfacing directly with the network stack. With an HTTP/2 protocol connection somewhat supplanting the role of a Transmission Control Protocol (TCP) connection in HTTP/1.<span class="high italic">n</span>, a new level of communication abstraction was required between the request processing and the network processing. It should be noted that HTTP/2 itself is transported on TCP. <p> Another new layer of abstraction required interfacing each protocol's request/response header formats with the underlying server processing (avoiding excessive duplication of code). HTTP/1.<span class="high italic">n</span> has a plain-text, carriage-control separated format, while HTTP/2 has a binary, compressed, lookup-table oriented format (RFC 7541). The layer was implemented using a <span class="high italic">key</span>-<span class="high italic">value</span> dictionary. <p> The accomodations for handling both HTTP/2 and HTTP/1.1, along with related and ancilliary design and code changes, have not measurably impacted overall WASD performance, although as noted below there is a server process CPU impost associated with HTTP/2. <div class="note"> <a id="5.1.0.0.1" href="#"></a> <a id="5.1.itsfairtosayhellip" href="#"></a> <a id="itsfairtosayhellip" href="#"></a> <h5 class="head center"><span class="text">It's fair to say…</span></h5> <hr class="note_hr"> Reimplementing the complexities and subtleties of TCP — and adding a few of its own — up in the application layer has made HTTP/2 a significantly more complicated and less transparent protocol of HTTP/1.1 and while solving some minor annoyances with that has sacrificed the usefulness and elegance of a once readable byte-stream. Certainly added layers and associated processing to WASD, breaking the original I/O event driven design for possibly minor performance improvements. <hr class="note_hr"> </div> <a id="5.1.0.0.2" href="#"></a> <a id="5.1.http2andwatch" href="#"></a> <a id="http2andwatch" href="#"></a> <h5 class="head"><span class="text">HTTP/2 and WATCH</span></h5> <p> WATCH reports have the network item: [x]HTTP/2. This provides a detailed overview of the underlying framing and connection management exchanges between client and server. WATCH reports are available to HTTP/2 connected clients with one consideration. Due to multiplexed requests over the single network connection, WATCHing the [x]HTTP/2 item of another request in the same browser (using the same HTTP/2 connection - and there <span class="high italic">can</span> be multiple from a single browser) is not possible (or at least more code than it's worth). The HTTP/2 activity of the WATCHing generates more report items which generate … a descent into reporting oblivion. <p> WASD detects when a request is initiated on the same HTTP/2 connection as an [x]HTTP/2 WATCHing client and if this sort of reporting cascade is possible (any <span class="high italic">networking</span> group item) advises <div class="blockof code">|Time_______|Module__|Line|Item|Category__|Event...| |22:00:55.22 WATCH 1823 0004 CONNECT HTTP/2 with 192.168.1.2,62446 on https://klaatu.private,443 (0.0.0.0)| |22:00:55.22 WATCH 1454 0004 CONNECT HTTP/2 rabbit hole| </div> Such a request is not reported on further. <p> Workarounds? <ul class="list list0"> <li class="item"> WATCH from an independent browser instance. Often requires a separate host or different browser (e.g. Chrome and Firefox on the same host). <li class="item"> Have an HTTP/1.1 (only) service on the same server and use WATCH from that. </ul> <a id="5.2" href="#"></a> <a id="5.2.http2andperformance" href="#"></a> <a id="http2andperformance" href="#"></a> <h2 class="head"><span class="numb">5.2</span><span class="text">HTTP/2 and Performance</span></h2> <p> With HTTP/2 not modifying the fundamentals of HTTP/1.1 semantics the commonly touted payoff for all the additional complexity (in implementation) is performance. While this is often stated in terms of page rendering speeds or web application responsiveness there is another significant measure of performance - efficiency. HTTP/2 much more efficiently utilises each network (TCP) connection, as well as reducing the (time and processing) overhead of setting-up and tearing-down of each of these required for parallelism under HTTP/1.1. <a id="5.2.0.0.1" href="#"></a> <a id="5.2.isitallworthitnbspnbspasmightbeexpectedndashthatdepends" href="#"></a> <a id="isitallworthitnbspnbspasmightbeexpectedndashthatdepends" href="#"></a> <h5 class="head"><span class="text">Is it all worth it? As might be expected – that depends.</span></h5> <p> There are a number of sufficiently good analyses of both the factors that affect HTTP/2 performance and the actual performance relative to HTTP/1.1. See the references section and search the Web. This section contains some observations made during WASD HTTP/2 development. All of these seem to correspond with others' observations, as well as what might reasonably be expected considering the strategies employed by the protocol. <ul class="list"> <li class="item"> For simple request-response use cases (e.g. download a file) HTTP/2 makes no observable performance difference. <li class="item"> Where multiple resources need to be loaded by a page the measurable performance improvement is proportional to the number of resources and the latency of the network. <li class="item"> In a low-latency environment such as the average LAN (e.g. 5mS RTT) HTTP/2 makes minimal difference irrespective of the number of resources loaded (until it reaches rediculous quantities). <li class="item"> In a high-latency environment such as a VPN spanning half the globe (e.g. 350mS RTT) HTTP/2 makes an obvious and of course measurable improvement for anything other than a trivial number of resources. <li class="item"> On a CPU constrained system HTTP/1.<span class="high italic">n</span> is significantly more responsive than HTTP/2. This unsurprising considering the explicit multiplexing and header marshalling employed by HTTP/2. <li class="item"> On the developer's bench there is ~10% more CPU consumed for the same load profile** via HTTP/2 compared to HTTP/1.1 for similar durations. This is (probably) due to header compression and multiplexed stream processing. It is (probably) offset (to some degree) by fewer resources consumed in the network stack managing the multiple TCP connections of HTTP/1.1. <p> As also related in <a class="link" href="#11.serverperformance">11. Server Performance</a>, using the same load profile as above** and using HTTP/1.1, WASD v11.0 compared to v10.4 showed ~5% additional CPU and duration. This is (probably) largely due to dictionary processing. <p class="indent"> ** <span class="high italic">100 individual files, size 2kB to 250kB, 50 concurrent, ~30% CPU utilisation (~5% USER mode, mostly INTERRUPT servicing), batched 10,000 at a time over a LAN.</span> </ul> <div class="note"> <a id="5.2.0.0.2" href="#"></a> <a id="5.2.ymmv" href="#"></a> <a id="ymmv" href="#"></a> <h5 class="head center"><span class="text">YMMV!</span></h5> <hr class="note_hr"> After some months (and now years) accessing WASD HTTP/2 over various LANs and WANs the developer, FWIW, can't shake the perception that it <span class="high italic">seems</span> generally more responsive in the real world. Yet interestingly … <hr class="note_hr"> </div> <a id="5.2.0.0.3" href="#"></a> <a id="5.2.performanceassessment" href="#"></a> <a id="performanceassessment" href="#"></a> <h5 class="head"><span class="text">Performance Assessment</span></h5> <p> As described in <a class="link blank" target="_blank" href="../config/#serverandsitetesting">Server and Site Testing</a> in <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a> the OWASP ZAP application is integral to WASD test and exercise. It can generate an intense stream of traffic via cleartext (port 80) or TLS (port 443). <div class="drawing dfont draw indent"> <style> .dhflip { display:inline-block;transform:rotate(180deg); } .dvflip { display:inline-block;transform:rotate(-180deg); } .dnoflip { display:inline-block;transform:rotate(360deg); } .dfont { font-family:monospace;font-size:1em;line-height:0.9em;line-spacing:0em; } </style> ┌───────────┐ ┌────────────┐<br> │ │<span class="dnoflip">◄</span>──HTTP/1.1 clear──<span class="dhflip">◄</span>│ │<br> │ OWASP ZAP │ │ WASD │<br> │ │<span class="dnoflip">◄</span>───HTTP/1.1 TLS───<span class="dhflip">◄</span>│ │<br> └───────────┘ └────────────┘<br> </div> <p> Using the <span class="high italic">nghttpx</span> proxy utility (see reference below) it is also used to exercise WASD's HTTP/2. <div class="drawing dfont draw indent"> ┌───────────┐ ┌────────────┐ ┌────────────┐ <br> │ │<span class="dnoflip">◄</span>──HTTP/1.1 clear──<span class="dhflip">◄</span>│ │ │ │<br> │ OWASP ZAP │ │ nghttpx │<span class="dnoflip">◄</span>──HTTP/2 TLS──<span class="dhflip">◄</span>│ WASD │<br> │ │<span class="dnoflip">◄</span>───HTTP/1.1 TLS───<span class="dhflip">◄</span>│ │ │ │<br> └───────────┘ └────────────┘ └────────────┘<br> </div> <p> On the development bench Alpha PWS500 formal performance assessment using this is disappointing <span class="high _frowny"> </span> <p> See <a class="link" href="#11.1.http2encrypted">‘HTTP/2 (encrypted)’ in 11.1 Simple File Request Turn-Around</a> in section <a class="link" href="#11.serverperformance">11. Server Performance</a>. <p> This may just reflect the CPU capacity of the benchmark system and that all requests are being transported through a single encrypted connection. <a id="5.2.0.0.4" href="#"></a> <a id="5.2.httpreport" href="#"></a> <a id="httpreport" href="#"></a> <h5 class="head"><span class="text">HTTP Report</span></h5> <p> WASD keeps track of HTTP family statistics. <p> After 3.8 million requests via OWASP ZAP using the above configuration over a number of spider-generated scans, one third of which were HTTP/2, one third over TLS HTTP/1.1, and another third cleartext HTTP/1.1, the following image suggests requests using HTTP/2 take approximately 50% of HTTP/1.1. <a class="imglink" target="_blank" href="./http_report.png"><img class="image" src="./http_report.png"></a> <a id="5.2.0.0.5" href="#"></a> <a id="5.2.otherassessment" href="#"></a> <a id="otherassessment" href="#"></a> <h5 class="head"><span class="text">Other Assessment</span></h5> <p> The simplest tool for getting a <span class="high italic">feel</span> for, and elementary measurement of HTTP/2 may be found in the <a class="link blank" target="_blank" href="/wasd_root/exercise/*.*">WASD_ROOT:[EXERCISE]</a> directory. The document DOTTY.HTML and its companion files provide a page that loads a selectable number of resources (images) in a consistent and reproducible manner. This DOTTY.HTML can be accessed via unencrypted HTTP (http://), encrypted HTTP (https://) and services configured to provide HTTP/2 or HTTP/1.1. Using these combinations with the selectable volume of resources, elementary comparisons may be made in target environments. <p> The Server Admin, HTTP Report (<a class="link" href="#9.serveradministration">9. Server Administration</a>) contains comparative duration and bytes-per-second minimum/maximum/average for total server HTTP/2 and HTTP/1.<span class="high italic">n</span> requests. These cannot simply be taken at face value without some consideration of the respective load profile but under controlled conditions can provide useful metrics. <p> Other development and load/performance tools were employed from a Linux platform. For someone educated in computing during the (19)70s, the availability of VM technology for such purposes is just brilliant! <span class="high italic">But you know, we were happy in those days, though we were poor.</span> <p> Indispensible were <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/nghttp.1.html">https://nghttp2.org/documentation/nghttp.1.html</a> <li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/h2load.1.html">https://nghttp2.org/documentation/h2load.1.html</a> <li class="item"> <a class="link blank" target="_blank" href="https://nghttp2.org/documentation/nghttpx.1.html">https://nghttp2.org/documentation/nghttpx.1.html</a> <li class="item"> <a class="link blank" target="_blank" href="https://www.zaproxy.org">https://www.zaproxy.org</a> </ul> <p> Many thanks to the developer(s) of this package. <a id="5.3" href="#"></a> <a id="5.3.http2configuration" href="#"></a> <a id="http2configuration" href="#"></a> <h2 class="head"><span class="numb">5.3</span><span class="text">HTTP/2 Configuration</span></h2> <p> While effectively transparent to the end-user, HTTP/2 has some aspects that need to be carefully considered by the server administrator. <ul class="list"> <li class="item"> The level of (request) concurrency suggested by RFC 7540 section 6.5.2 would likely require redimensioning a web server and possibly the supporting system. Environments historically expecting per-client resource demand to be limited by the number of concurrent (HTTP/1.<span class="high italic">n</span>) network connections an agent will deploy per origin server, often limited to less than a dozen, might behave entirely differently when presented with many dozens, or potentially hundreds of requests. WASD's default of 100 is the RFC recommendation in part because browsers tend to open multiple connections to maintain the parallelism sought, so a reduction in HTTP/2 stream concurrency often just increases HTTP/2 connection concurrency. <li class="item"> Secure HTTP requires a minimum of TLS 1.2 with SNI and ALPN (RFC 7540 section 9.2). <li class="item"> The ciphers available for use with HTTP/2 secure HTTP are quite specific (at least in what the RFC prohibits - RFC 7540 Appendix A). This and the overall encryption requirements for HTTP/2 can cause issues with established (older) agents and with mainstream browsers strictly enforcing the RFC definitions making support for combined /2-/1.1 services sometimes problematic. <p> Use of elliptic curve ciphers (ECDHE), as an element of Perfect Forward Security (PFS), is mandated for HTTP/2 (RFC 7540 section 9.2.2). The keys for the elliptic curve ciphers are stored in PEM-encoded files ocated in WASD_ROOT:[LOCAL]. These can be copied from the WASD OpenSSL package using <div class="blockof code">$ copy WASD_ROOT:[SRC.OPENSSL-<span class="high italic">n_n_n</span>.WASD.CERT]DH_PARAM_*.PEM WASD_ROOT:[LOCAL] </div> or locally generated as described in <a class="link" href="#4.5.5.forwardsecrecy">4.5.5 Forward Secrecy</a>. <p> This SSL configuration and minimum cipher list seems to work for all major browsers at the time of writing: <div class="blockof code"># WASD_CONFIG_GLOBAL [SecureSocket] enabled [SSLversion] TLSvall [SSLoptions] +OP_CIPHER_SERVER_PREFERENCE [SSLcipherList] EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:-DSS: </div> <span class="high bold">YMMV!</span> <li class="item"> TLS renegotiation (e.g. for a client certificate) must not be performed on an HTTP/2 secure connection. This precludes having selected paths perform authorisation based on X509 and means that the service itself must request a client certificate at connection establishment (RFC 7540 section 9.2.1). <li class="item"> While the protocol provides for HTTP/2 using non-TLS (non-SSL) connections the major browsers (Chrome, Edge (MSIE), FireFox, Safari) only support it when using TLS. To <span class="high italic">encourage</span> naive users to a TLS service the following mapping rule approach may be used to redirect non-TLS home page connections. <div class="blockof code"># WASD_CONFIG_MAP [[*:80]] if (!ssl:) redirect / https:/// </div> </ul> <a id="5.3.1" href="#"></a> <a id="5.3.1.globalconfiguration" href="#"></a> <a id="globalconfiguration" href="#"></a> <h3 class="head"><span class="numb">5.3.1</span><span class="text">Global Configuration</span></h3> <p> HTTP/2 and its features are globally enabled and configured using directives contained in the WASD_CONFIG_GLOBAL configuration file. <a id="5.3.1.0.1" href="#"></a> <a id="5.3.1.http2globalconfiguration" href="#"></a> <a id="http2globalconfiguration" href="#"></a> <h5 class="head"><span class="text">HTTP/2 Global Configuration</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Directive <th class="tabh">Description <th class="tabh right">Default <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">[Http2Protocol] <td class="tabd">enabled or disabled on a whole-of-server basis <td class="tabd right">disabled <tr class="tabr"> <td class="tabd">[Http2FrameSizeMax] <td class="tabd">maximum frame size in octets (bytes) the server is prepared to receive <td class="tabd right">16384 <tr class="tabr backlight"> <td class="tabd">[Http2HeaderListMax] <td class="tabd">maximum number of octets (bytes) permitted in a received header once uncompressed <td class="tabd right">65535 <tr class="tabr"> <td class="tabd">[Http2HeaderTableMax] <td class="tabd">maximum number of bytes permitted in the server-end header cache <td class="tabd right">4096 <tr class="tabr backlight"> <td class="tabd">[Http2PingSeconds] <td class="tabd">number of seconds between connection RTT pings <td class="tabd right">300 <tr class="tabr"> <td class="tabd">[Http2StreamsMax] <td class="tabd">maximum number of concurrent streams (requests) the server permits on the connection <td class="tabd right">32 <tr class="tabr backlight"> <td class="tabd">[Http2InitWindowSize] <td class="tabd">initial window size (number of octets in transit) for flow-control purposes <td class="tabd right">6291456 </table> <p> These largely reflect settings and defaults from RFC 7540 6.5.1 <ul class="list"> <li class="item"> The minimum frame size is defined by the RFC at 16384. <li class="item"> WASD automatically pings a connection every configured seconds. The latest value is available as real-number milliseconds in dictionary entry "http2_ping" and CGI variable HTTP2_PING. </ul> <a id="5.3.2" href="#"></a> <a id="5.3.2.serviceconfiguration" href="#"></a> <a id="serviceconfiguration" href="#"></a> <h3 class="head"><span class="numb">5.3.2</span><span class="text">Service Configuration</span></h3> <p> Using the WASD_CONFIG_SERVICE directive [ServiceHttp2Protocol] HTTP/2 may be disabled on a per-service basis. The default is enabled if HTTP/2 is enabled globally. <a id="5.3.3" href="#"></a> <a id="5.3.3.http2setrules" href="#"></a> <a id="http2setrules" href="#"></a> <h3 class="head"><span class="numb">5.3.3</span><span class="text">HTTP/2 Set Rules</span></h3> <p> WASD request processing rules may be used on a per-path basis to modify (some) global configuration settings and provide other WevDAV configuation. See <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">HTTP2=PROTOCOL=1.1 <td class="tabd">send a "HTTP_1_1_REQUIRED" error causing the client to use HTTP/1.1 (RFC 7540 section 7) <tr class="tabr"> <td class="tabd">HTTP2=SEND=GOAWAY <td class="tabd">send a "GOAWAY" frame to the client resulting in it dropping the HTTP/2 connection <tr class="tabr backlight"> <td class="tabd">HTTP2=SEND=PING <td class="tabd">send a "PING" frame to the client calculating the Round Trip Time (RTT) of the connection <tr class="tabr"> <td class="tabd">HTTP2=SEND=RESET <td class="tabd">send a "RST_STREAM" frame to the client causing it to drop the HTTP/2 stream (request in progress) <tr class="tabr backlight"> <td class="tabd">HTTP2=STREAMS=MAX=<span class="high italic">integer</span> <td class="tabd">set the maximum concurrent streams on a per-path basis <tr class="tabr"> <td class="tabd">HTTP2=WRITE=<span class="high italic">low|normal|high</span> <td class="tabd">When request data is written it is queued at the specified priority, where high priority are written before normal (default) and low priority, and normal priority before low. This is only for associated stream (request) and is not a connection or whole-of-server prioritisation. </table> <p> Use path SETings to prioritise some resources (e.g. CSS and JavaScript) over others (e.g. images) and potentially improve page rendering speed. Where multiple concurrent requests are being serviced on the one HTTP/2 connection this will deliver the <span class="high italic">high</span>er priority content before others. <div class="blockof code"># WASD_CONFIG_MAP SET **.css http2=write=high SET **.js http2=write=high </div> <a id="5.4" href="#"></a> <a id="5.4.http2detection" href="#"></a> <a id="http2detection" href="#"></a> <h2 class="head"><span class="numb">5.4</span><span class="text">HTTP/2 Detection</span></h2> <p> A request using HTTP/2 may be detected during processing with the <span class="high italic">http2:</span> conditional. <div class="blockof code">if (http2:) <span class="high italic">do this</span> endif </div> <p> See <a class="link blank" target="_blank" href="../config/#conditionalconfiguration">Conditional Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <p> A script may detect HTTP/2 using the REQUEST_PROTOCOL CGI variable with the value "HTTP/2". Other protocol versions are similarly represented. <p> A Server-Side Includes (SSI) document can use variations on the following construct (and similar to the script suggestion immediately above) to detect and process the request protocol. <div class="blockof code"><!--#if var={request_protocol} eqs="HTTP/2" --> HTTP/2 <!--#else--> HTTP/1.n <!--#endif--> </div> This is demonstrated in the example SSI document: <p class="indent"> <a class="link blank" target="_blank" href="/wasd_root/exercise/shtml.shtml">WASD_ROOT:[EXERCISE]SHTML.SHTML</a> <p> At the time of writing there is no browser-supported mechanism for a dynamic document (i.e. JavaScript) determining the underlying HTTP protocol used to access a resource. To access this information the server must be used. The suggested method, and the one employed by the DOTTY.HTML tool described above, is to provide one JavaScript source for HTTP/2 and another for everything else. <p> The document would contain <div class="blockof code"><script type="text/javascript" src="/example-path/http.js"></script> </div> and the server configuration <div class="blockof code"># WASD_CONFIG_MAP if (http2:) map /example-path/http.js /example-path/http2.js else map /example-path/http.js /example-path/http1.js endif </div> where each contains a minimum variable setting or similar flag detectable by the document. <a id="5.5" href="#"></a> <a id="5.5.http2references" href="#"></a> <a id="http2references" href="#"></a> <h2 class="head"><span class="numb">5.5</span><span class="text">HTTP/2 References</span></h2> <p> The following provide a starting-point for investigating HTTP/2 (verified available at time of publication). <ul class="list"> <li class="item"> <a class="link blank" target="_blank" href="https://http2.github.io/">https://http2.github.io/</a> <br> Home page for HTTP/2 maintained by the IETF HTTP Working Group. <li class="item"> <a class="link blank" target="_blank" href="https://en.wikipedia.org/wiki/HTTP/2">https://en.wikipedia.org/wiki/HTTP/2</a> <li class="item"> <a class="link blank" target="_blank" href="https://httpwg.github.io/specs/rfc7540.html">https://httpwg.github.io/specs/rfc7540.html</a> <br> <a class="link blank" target="_blank" href="https://tools.ietf.org/html/rfc7540">https://tools.ietf.org/html/rfc7540</a> <br> HTTP/2 specification <li class="item"> <a class="link blank" target="_blank" href="https://httpwg.github.io/specs/rfc7541.html">https://httpwg.github.io/specs/rfc7541.html</a> <br> <a class="link blank" target="_blank" href="https://tools.ietf.org/html/rfc7541">https://tools.ietf.org/html/rfc7541</a> <br> HPACK (header compression) specification <li class="item"> <a class="link blank" target="_blank" href="https://httpwg.github.io/specs/rfc7230.html">https://httpwg.github.io/specs/rfc7230.html</a> <br> <a class="link blank" target="_blank" href="https://tools.ietf.org/html/rfc7230">https://tools.ietf.org/html/rfc7230</a> <br> Most recent HTTP/1.1 specifications (30, 31, 32, 33, 34 and 35) <li class="item"> <a class="link blank" target="_blank" href="http://http2-explained.haxx.se/">http://http2-explained.haxx.se/</a> <br> Useful overview of HTTP/2 by the developer of cURL. <li class="item"> <a class="link blank" target="_blank" href="https://hpbn.co/http2/">https://hpbn.co/http2/</a> <br> Another useful and more detailed overview of the protocol. <br> From the excellent <a class="link blank" target="_blank" href="https://hpbn.co/">https://hpbn.co/</a> <li class="item"> <a class="link blank" target="_blank" href="http://undertow.io/blog/2015/04/27/An-in-depth-overview-of-HTTP2.html">http://undertow.io/blog/2015/04/27/An-in-depth-overview-of-HTTP2.html</a> <br> A concise and useful summary. <li class="item"> <a class="link blank" target="_blank" href="https://blog.cloudflare.com/tools-for-debugging-testing-and-using-http-2/">https://blog.cloudflare.com/tools-for-debugging-testing-and-using-http-2/</a> <br> Not much here for VMS but a useful survey nonetheless. </ul> <!-- source:0600_WEBDAV.WASDOC --> <hr class="page"> <a id="6." href="#"></a> <a id="6.webdav" href="#"></a> <a id="webdav" href="#"></a> <h1 class="head"><span class="numb">6.</span><span class="text">WebDAV</span></h1> <div class="TOC2cols2" style="width:80%;max-width:80%;"> <table class="TOC2table"> <tr><td><a href="#6.1.httpmethodssupported"><span class="numb">6.1</span><span class="text">HTTP Methods Supported</span></a> <tr><td><a href="#6.1.1.copyrestrictions"><span class="numb">6.1.1</span><span class="text">COPY Restrictions</span></a> <tr><td><a href="#6.1.2.deleterestrictions"><span class="numb">6.1.2</span><span class="text">DELETE Restrictions</span></a> <tr><td><a href="#6.1.3.moverestrictions"><span class="numb">6.1.3</span><span class="text">MOVE Restrictions</span></a> <tr><td><a href="#6.1.4.ifrestrictions"><span class="numb">6.1.4</span><span class="text">If: Restrictions</span></a> <tr><td><a href="#6.2.webdavconfiguration"><span class="numb">6.2</span><span class="text">WebDAV Configuration</span></a> <tr><td><a href="#6.2.1.webdavsetrules"><span class="numb">6.2.1</span><span class="text">WebDAV Set Rules</span></a> <tr><td><a href="#6.2.2.filenaming"><span class="numb">6.2.2</span><span class="text">File Naming</span></a> <tr><td><a href="#6.2.3.filesystemaccess"><span class="numb">6.2.3</span><span class="text">File-system Access</span></a> <tr><td><a href="#6.2.4.filesystemauthorisation"><span class="numb">6.2.4</span><span class="text">File-system Authorisation</span></a> <tr><td><a href="#6.2.5.concurrentauthorisation"><span class="numb">6.2.5</span><span class="text">Concurrent Authorisation</span></a> <tr><td><a href="#6.2.6.realworldexample"><span class="numb">6.2.6</span><span class="text">Real-World Example</span></a> <tr><td><a href="#6.3.webdavmetadata"><span class="numb">6.3</span><span class="text">WebDAV Metadata</span></a> <tr><td><a href="#6.4.webdavlocking"><span class="numb">6.4</span><span class="text">WebDAV Locking</span></a> <tr><td><a href="#6.5.somewrinkles"><span class="numb">6.5</span><span class="text">Some Wrinkles</span></a> <tr><td><a href="#6.5.1.osxfinder"><span class="numb">6.5.1</span><span class="text">OS X Finder</span></a> <tr><td><a href="#6.5.2.gnomegvfsnautilus"><span class="numb">6.5.2</span><span class="text">Gnome/gvfs/Nautilus</span></a> <tr><td><a href="#6.5.3.dreamweaver"><span class="numb">6.5.3</span><span class="text">Dreamweaver</span></a> <tr><td><a href="#6.6.microsoftmiscellanea"><span class="numb">6.6</span><span class="text">Microsoft Miscellanea</span></a> <tr><td><a href="#6.6.1.mapping"><span class="numb">6.6.1</span><span class="text">Mapping</span></a> <tr><td><a href="#6.6.2.frontpageextensions"><span class="numb">6.6.2</span><span class="text">FrontPage Extensions</span></a> <tr><td><a href="#6.6.3.avoidingmicrosoftpropertyclutter"><span class="numb">6.6.3</span><span class="text">Avoiding Microsoft Property Clutter</span></a> <tr><td><a href="#6.6.4.optionsheaderquotmsauthorviadavquot"><span class="numb">6.6.4</span><span class="text">OPTIONS header "MS-Author-Via: DAV"</span></a> <tr><td><a href="#6.6.5.repairingbrokenxpwebfolders"><span class="numb">6.6.5</span><span class="text">Repairing broken XP Web Folders</span></a> <tr><td><a href="#6.6.6.addingaportnumbertothewebfolderaddress"><span class="numb">6.6.6</span><span class="text">Adding a port number to the webfolder-address</span></a> <tr><td><a href="#6.6.7.addinganumbersignquotquottothewebfolderaddress"><span class="numb">6.6.7</span><span class="text">Adding a number-sign ("#") to the webfolder-address</span></a> <tr><td><a href="#6.6.8.forcewindowsxptousebasicauthentication"><span class="numb">6.6.8</span><span class="text">Force Windows XP to use Basic Authentication</span></a> <tr><td><a href="#6.6.9.microsoftxpexplorerbasicauthentication"><span class="numb">6.6.9</span><span class="text">Microsoft XP Explorer BASIC Authentication</span></a> <tr><td><a href="#6.6.10.microsoftwindows7basicauthentication"><span class="numb">6.6.10</span><span class="text">Microsoft Windows 7 BASIC Authentication</span></a> <tr><td><a href="#6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved"><span class="numb">6.6.11</span><span class="text">Error 0x800700DF: The file size exceeds the limit allowed and cannot be saved</span></a> <tr><td><a href="#6.7.references"><span class="numb">6.7</span><span class="text">References</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#5.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#7.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> Web-based Distributed Authoring and (not) Versioning for the WASD package. <p> Effective WASD WebDAV file-space (without significant naming constraints) relies on being hosted on ODS-5 volumes. Behaviour hosting file-space on ODS-2 volumes is untested (though possible provided file naming is constrained to ODS-2 conventions). <p> WASD WebDAV methods and request headers, etc., are also propagated to the scripting environment and so functionality may be implemented using CGI, CGIplus or RTE based applications. <p> WASD proxy-serving supports WebDAV methods, header fields, etc. <p> Generally WebDAV clients are applications other than browsers and so response bodies with human-readable error explanations are unnecessary and consume bandwidth to no good purpose, and so not provided. <p> File-systems are notoriously latent components relative to the rest of the system (more so with VMS). Any operation to collections (directories) are not going to be atomic and for large collections requiring many sub-operations the potential for the process to be interrupted or otherwise disturbed are enormous. File-systems are not databases amenable to extensive ACID operations. <p> In addition each file under WebDAV management has the potential for an associated but independent metadata file. This of course means for every DAV-specific resource file activity there is at least a file-system action to check for a metadata file and for some actions such as COPY the potential for an associated but entirely independent file operation. <p> Of course WebDAV was not intended or designed as a general file-system protocol but one for distributed management of somewhat restricted collections of Web-related resources and so in context probably works well enough. <p> See sections below on file-system operation method restrictions. <div class="note"> <a id="6.0.0.0.1" href="#"></a> <a id="6.caution" href="#"></a> <a id="caution" href="#"></a> <h5 class="head center"><span class="text">Caution</span></h5> <hr class="note_hr"> If using WebDAV in any serious fashion the likes of <div class="blockof code">$ HTTPD/DO=RESTART=NOW </div> <p> during server WebDav file-system modifications is a recipe for inconsistency and/or corruption! <hr class="note_hr"> </div> <a id="6.1" href="#"></a> <a id="6.1.httpmethodssupported" href="#"></a> <a id="httpmethodssupported" href="#"></a> <h2 class="head"><span class="numb">6.1</span><span class="text">HTTP Methods Supported</span></h2> <p> A list of WebDAV methods, what WASD does with them, and any limitations or restrictions. Some of these are familiar HTTP/1.<span class="high italic">n</span> methods and other are RFC 4981 specific. Some of the HTTP/1.<span class="high italic">n</span> methods are overloaded with additional or variant behaviours when used in a WebDAV context. Issues of atomicity with the manipulation of file-system trees containing numbers of individual files makes strict RFC 4918 compliance difficult. See "…Restrictions" below. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Method <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">COPY** <td class="tabd">Reproduces both single resources (files) and collections (directory trees). Will overwrite files (if specified by the request) but will respond 209 (Conflict) if it would overwrite a tree. <tr class="tabr"> <td class="tabd">DELETE** <td class="tabd">deletes files and directory trees <tr class="tabr backlight"> <td class="tabd">GET <td class="tabd">just the vanilla HTTP/1.1 behaviour <tr class="tabr"> <td class="tabd">HEAD <td class="tabd">ditto <tr class="tabr backlight"> <td class="tabd">LOCK** <td class="tabd">see WEBDAV LOCKING below <tr class="tabr"> <td class="tabd">MKCOL** <td class="tabd">create a directory <tr class="tabr backlight"> <td class="tabd">MOVE** <td class="tabd">Moves (rename or copy) a file or a directory tree. Will 'overwrite' files (if specified by the request) but will respond 209 (Conflict) if it would overwrite a tree. <tr class="tabr"> <td class="tabd">OPTIONS <td class="tabd">If WebDAV is enabled and available for the path this reports the WebDAV extension methods <tr class="tabr backlight"> <td class="tabd">PROPFIND** <td class="tabd">Retrieves the requested file characteristics, DAV lock status and 'dead' properties for individual files, a directory and its child files, or a directory tree. <tr class="tabr"> <td class="tabd">PROPPATCH** <td class="tabd">set and remove 'dead' meta-data properties <tr class="tabr backlight"> <td class="tabd">PUT <td class="tabd">Against a WebDAV resource behaves a little differently to historical WASD implementation of PUT. <tr class="tabr"> <td class="tabd">UNLOCK** <td class="tabd">see WebDAV locking below <tr class="tabr"> <td class="tabd"> <td class="tabd">**<span class="high italic">WebDAV RFC 4918 method</span> </table> <p> WASD Statistics Reports gather WebDAV related data. Where a method can be used both for vanilla HTTP/1.<span class="high italic">n</span> and WebDAV purposes it is counted in WebDAV statistics if the request header contains some other indication of a WebDAV activity. <a id="6.1.1" href="#"></a> <a id="6.1.1.copyrestrictions" href="#"></a> <a id="copyrestrictions" href="#"></a> <h3 class="head"><span class="numb">6.1.1</span><span class="text">COPY Restrictions</span></h3> <p> Does not comply with the overwrite:T directive for collections (does so for files). Will not preemptively delete the existing tree. It returns a 209 (Conflict) response instead. <p> COPY does not maintain collection consistent URL namespace if a member resource cannot be moved as required by RFC 4918. It should maintain the source subtree completely uncopied. Instead it is best-effort and continues copying resources until exhausted. This is consistent with file-system behaviour. The RFC 4918 requirement, while not impossible, is fraught with issues inside a file-system. <a id="6.1.2" href="#"></a> <a id="6.1.2.deleterestrictions" href="#"></a> <a id="deleterestrictions" href="#"></a> <h3 class="head"><span class="numb">6.1.2</span><span class="text">DELETE Restrictions</span></h3> <p> Deletion of collections is particularly fraught with issues for a file-system. In userland it is almost impossible to predetermine if an individual file in a directory tree is going to resist deletion (due to locking, protections, etc) and in kernel land it's probably no easier. It leaves the undeleted tree hierachy (resource ancestors) intact. This is RFC 4918 compliant however! <p> So, in the case of WASD WebDAV it's just best-effort and if something down the tree won't disappear, it just reports the failure in the 207 response and carries merrily on through the tree regardless. This IS acceptable WebDAV server behaviour! <a id="6.1.3" href="#"></a> <a id="6.1.3.moverestrictions" href="#"></a> <a id="moverestrictions" href="#"></a> <h3 class="head"><span class="numb">6.1.3</span><span class="text">MOVE Restrictions</span></h3> <p> Does not comply with the overwrite:T directive for collections (does so for files). Will not currently pre-emptively delete the existing tree. It returns a 209 (Conflict) response instead. <p> MOVE first attempts to rename the file or directory. This is reasonably efficient, especially for directory trees but obviously only suitable for a target on the same disk volume. If a rename failure is due to a different device it falls back to using a COPY then DELETE in two separate phases. Needless-to-say this is hardly atomic and can lead to inconsistencies between source and target. <p> MOVE does not maintain collection consistent URL namespace if a member resource cannot be moved as required by RFC 4918. It should maintain the source subtree unmoved. Instead it is best-effort and continues moving resources until exhausted. This is consistent with file-system behaviour. The RFC 4918 requirement, while not impossible, is fraught with issues inside a file-system. <a id="6.1.4" href="#"></a> <a id="6.1.4.ifrestrictions" href="#"></a> <a id="ifrestrictions" href="#"></a> <h3 class="head"><span class="numb">6.1.4</span><span class="text">If: Restrictions</span></h3> <p> The conditional "If:" request header field does not have full RFC 4918 support. It implements lock token and etag token processing with parenthetical OR and NOT processing. For unsupported features WATCH reports that the header was not understood and always returns an abort status. WebDAV "If:" processing is an extrodinarily complex kludge for on-the-fly decision making by the server and much of what I have read indicates most clients only ever use extremely simple conditions anyway. <a id="6.2" href="#"></a> <a id="6.2.webdavconfiguration" href="#"></a> <a id="webdavconfiguration" href="#"></a> <h2 class="head"><span class="numb">6.2</span><span class="text">WebDAV Configuration</span></h2> <p> WebDAV and its features are globally enabled and configured using directives contained in the WASD_CONFIG_GLOBAL configuration file. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Directive <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">[PutMaxKBytes] <td class="tabd">maximum size of a file (PUT and POST) <tr class="tabr"> <td class="tabd">[WebDAV] <td class="tabd">This directive enables and disables WebDAV. <tr class="tabr backlight"> <td class="tabd">[WebDAVlocking] <td class="tabd">Enables and disables WebDAV locking. <tr class="tabr"> <td class="tabd">[WebDAVlockTimeoutDefault] <td class="tabd">see <a class="link" href="#6.4.lockingtimeout">‘Locking Timeout’ in 6.4 WebDAV Locking</a> <tr class="tabr backlight"> <td class="tabd">[WebDAVlockTimeoutMax] <td class="tabd">see <a class="link" href="#6.4.lockingtimeout">‘Locking Timeout’ in 6.4 WebDAV Locking</a> <tr class="tabr"> <td class="tabd">[WebDAVlockCollectionDepth] <td class="tabd">See <a class="link" href="#6.4.lockingdepth">‘Locking Depth’ in 6.4 WebDAV Locking</a> <tr class="tabr backlight"> <td class="tabd">[WebDAVmetaDir] <td class="tabd">see <a class="link" href="#6.3.webdavmetadata">6.3 WebDAV Metadata</a> <tr class="tabr"> <td class="tabd">[WebDAVquota] <td class="tabd">Enables and disables RFC 4331 functionality (disk quota reporting). </table> <p> In addition these and other configurations are provided on a per-path basis using mapping rules. <a id="6.2.1" href="#"></a> <a id="6.2.1.webdavsetrules" href="#"></a> <a id="webdavsetrules" href="#"></a> <h3 class="head"><span class="numb">6.2.1</span><span class="text">WebDAV Set Rules</span></h3> <p> WASD request processing rules (see <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) may be used on a per-path basis to modify (some) global configuration settings and provide other WevDAV configuation. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">ODS=NAME=<span class="high italic">8BIT|UTF8|DEFAULT</span> <td class="tabd">When a file is PUT using WebDAV (or upload), for non-7bit ASCII file names use native ODS-5 8bit syntax (default) or UTF-8 encoded character sequences (see <a class="link" href="#6.2.2.filenaming">6.2.2 File Naming</a>) <tr class="tabr"> <td class="tabd">PUT=MAX=<integer> | * <td class="tabd">Maximum number of kilobytes file size, if "*" then effectively unlimited (per-path equivalent of the global directive [PutMaxKBytes]). <tr class="tabr backlight"> <td class="tabd">WEBDAV=[NO]HIDDEN <td class="tabd">list (default) or hide U*x <span class="high italic">hidden</span> files (i.e. those with names beginning with period) <tr class="tabr"> <td class="tabd">WEBDAV=[NO]LOCK <td class="tabd">allow/apply WebDAV locking to this path <tr class="tabr backlight"> <td class="tabd">WEBDAV=[NO]PROFILE <td class="tabd">WebDAV access according to SYSUAF profile <tr class="tabr"> <td class="tabd">WEBDAV=[NO]PROP <td class="tabd">allow/apply WebDAV 'dead' property(ies) to this path <tr class="tabr backlight"> <td class="tabd">WEBDAV=[NO]PUT=LOCK <td class="tabd">a resource must be locked before a PUT is allowed <tr class="tabr"> <td class="tabd">WEBDAV=[NO]READ <td class="tabd">WebDAV methods allowed read this tree <tr class="tabr backlight"> <td class="tabd">WEBDAV=[NO]SERVER <td class="tabd">WebDAV access as server account (best effort) <tr class="tabr"> <td class="tabd">WEBDAV=[NO]WINPROP <td class="tabd">when NOWINPROP windows properties are ignored and emulated <tr class="tabr backlight"> <td class="tabd">WEBDAV=[NO]WRITE <td class="tabd">WebDAV methods allowed write to this path (implied read) <tr class="tabr"> <td class="tabd">WEBDAV=LOCK=TIMEOUT=DEFAULT= <td class="tabd">hh:mm:ss <tr class="tabr backlight"> <td class="tabd">WEBDAV=LOCK=TIMEOUT=MAX= <td class="tabd">hh:mm:ss <tr class="tabr"> <td class="tabd">WEBDAV=META=DIR= <td class="tabd">per-path equivalent of global [WevbDAVmetaDir] (see <a class="link" href="#6.3.webdavmetadata">6.3 WebDAV Metadata</a>) </table> <p> An essential function of the path setting rules is for specifying which paths in server Web-space are allowed to be accessed using the WebDAV protocol and what sort of access (read, write, etc.) that path is allowed. <a id="6.2.2" href="#"></a> <a id="6.2.2.filenaming" href="#"></a> <a id="filenaming" href="#"></a> <h3 class="head"><span class="numb">6.2.2</span><span class="text">File Naming</span></h3> <p> By default files that are PUT via WebDAV (or upload) support the ISO Latin-1 character set. ASCII and non-7-bit file names use the native ODS-5 syntax. Where character sets other than ISO Latin-1, or where compatibility with other WebDAV implementations is desired (e.g. Apache), a path can be set to allow file names supplied using UTF-8 sequences. <p> For example, the English language word "naïve", having a diaeresis mark over the "i" character (indicating it is pronounced separately from the preceding vowel) is commonly respresented using the 8 bit character 0xEF, or as the two byte UTF-8 sequence 0xC3AF. This word if used as the file name with a type (extension) of ".TXT" by default would have the sequence of 8-bit characters <div class="blockof code">0x6E 0x61 0xEF 0x76 0x65 0x2e 0x54 0x58 0x54 </div> and if the path had been set <span class="high italic">ods=name=utf8</span> the sequence would be <div class="blockof code">0x6E 0x61 0xC3 0xAF 0x76 0x65 0x2E 0x54 0x58 0x54 </div> <p> "Index of" (directory) listings will honour a path set <span class="high italic">ods=name=utf8</span> and make the listing character set UTF-8 resulting in a browser correctly rendering the name (WebDAV listings are by definition UTF-8). <a id="6.2.2.0.1" href="#"></a> <a id="6.2.2.filenameambiguity" href="#"></a> <a id="filenameambiguity" href="#"></a> <h5 class="head"><span class="text">File Name Ambiguity</span></h5> <p> While files and directories created via WebDAV will have a consistent naming schema applied those created by applications or manual operation on the VMS system can result in files that are not accessible with WebDAV. <p> For example the file name <div class="blockof code">This^_is^_an^_EXAMPLE^.txt.;1 </div> would be presented to the client as <div class="blockof code">This is an EXAMPLE.txt </div> which when provided in a URL as <div class="blockof code">This%20is%20an%20EXAMPLE.txt </div> and translated from that URL into the file specification <div class="blockof code">This^_is^_an^_EXAMPLE.txt;1 </div> of course will not be able to be accessed. <p> In addition, the two files <div class="blockof code">This^_is^_an^_EXAMPLE.txt;1 This^_is^_an^_EXAMPLE^.txt.;1 </div> are distinct in the file-system, independently parsed from the directory structure, would be presented to the client as consecutive entries having the same name, with only the accessible file name actually available. <div class="blockof code">This is an EXAMPLE.txt This is an EXAMPLE.txt </div> <p> To avoid this situation a potentially ambiguous file name containing an escaped period and no type (extension) is ignored by directory listings and WebDAV property lists. When an ambiguous file name is detected it is reported in WATCH reports. <div class="note"> <a id="6.2.2.0.2" href="#"></a> <a id="6.2.2.avoidquotinterestingquotfilenames" href="#"></a> <a id="avoidquotinterestingquotfilenames" href="#"></a> <h5 class="head center"><span class="text">Avoid "Interesting" File Names</span></h5> <hr class="note_hr"> While most of these are corner-cases it is best to try and avoid <span class="high italic">interesting</span> file names that can challenge the rather convoluted VMS file-system environment. Inaccessible file names cannot of course be deleted or renamed via WebDAV and may result in directory (folder) deletion problems. These situations generally require manual intervention. <hr class="note_hr"> </div> <a id="6.2.3" href="#"></a> <a id="6.2.3.filesystemaccess" href="#"></a> <a id="filesystemaccess" href="#"></a> <h3 class="head"><span class="numb">6.2.3</span><span class="text">File-system Access</span></h3> <p> Is controlled using the mapping rules: <table class="tabl"> <tr class="tabr under"> <th class="tabh">Rule <th class="tabh">Description <tr class="tabr"> <tr class="tabr"> <td class="tabd">WEBDAV=PROFILE <td class="tabd">access using request SYSUAF-authenticated security profile <tr class="tabr"> <td class="tabd">WEBDAV=WRITE <td class="tabd">unconditional permission to read/write <tr class="tabr"> <td class="tabd">WEBDAV=READ <td class="tabd">unconditional permission to read <tr class="tabr"> <td class="tabd">WEBDAV=SERVER <td class="tabd">access using server account permissions </table> <p> All access by WebDAV operations <span class="high bold">must have at least one set</span> against the path. If access is permitted by one of the above settings SYSPRV is enabled to allow that access using the server account. Therefore files and directories should have a SYSTEM:READ+WRITE+EXECUTE+DELETE protection or equivalent ACL permissions, or the access may fail totally or in some part of a supposedly atomic action. <p> These file-system access settings are applied in the order listed above. That is, if a path successively has one or more of the above settings applied during rule processing, when it comes to applying those access controls, SYSUAF profile is applied, then if no profile SETing access to read/write, then to read-only, then access via the server account. <p> In addition WebDAV access requires an authorisation rule against each path. <a id="6.2.4" href="#"></a> <a id="6.2.4.filesystemauthorisation" href="#"></a> <a id="filesystemauthorisation" href="#"></a> <h3 class="head"><span class="numb">6.2.4</span><span class="text">File-system Authorisation</span></h3> <p> All access by WebDAV operations <span class="high bold">must have one set</span> against the path. <p> All WebDAV access is a combination of WASD_CONFIG_MAP path setting and WASD_CONFIG_AUTH authorisation permissions. The least permissive of the two overrides the more. The combination of an authorisation rule and a path mapping rule mitigates the chance of opening unintended access into the file-system. <p> These is the test-bench environment used during development: <div class="blockof code"># WASD_CONFIG_MAP pass /dweb/* /dweb/* ods=5 webdav=write webdav=nowinprop # WASD_CONFIG_AUTH ["KLAATU"=WASD_VMS_RW=id] /dweb/* r+w </div> <p> Note that WebDAV read/write access is a combination of the mapping and the authorisation rule (mapping WEBDAV=READ overrides authorisation read+write). Expect complications with Microsoft environments. <p> For test-benching you could avoid authorisation issues completely with: <div class="blockof code"># WASD_CONFIG_AUTH [world] /dweb/* r+w </div> <a id="6.2.5" href="#"></a> <a id="6.2.5.concurrentauthorisation" href="#"></a> <a id="concurrentauthorisation" href="#"></a> <h3 class="head"><span class="numb">6.2.5</span><span class="text">Concurrent Authorisation</span></h3> <p> A common requirement is to provide concurrent general access and authorised WebDAV acccess to the same Web-space. This is accomplished by using two paths mapped into the same file-system space, the general access (non-authorised) path, and a WebDAV (authorised) path. The WebDAV client uses the authorised path and can then apply WebDAV methods to maintain the resources. <div class="blockof code"># WASD_CONFIG_MAP pass /web/* /web/* ods=5 pass /davweb/* /web/* ods=5 webdav=profile webdav=nowinprop # WASD_CONFIG_AUTH ["KLAATU"=WASD_VMS_RW=id] /davweb/* r+w </div> <a id="6.2.6" href="#"></a> <a id="6.2.6.realworldexample" href="#"></a> <a id="realworldexample" href="#"></a> <h3 class="head"><span class="numb">6.2.6</span><span class="text">Real-World Example</span></h3> <p> The following configuration is taken from a site using WebDAV to allow users to manage their Web presence. The user mapping is a fairly standard configuration for VMS accounts (see <a class="link blank" target="_blank" href="../config/#Mapping User Directories (tilde character ("~"))">Mapping User Directories (tilde character ("~"))</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). User Web areas are in the [.WWW] subdirectory of the account home area. <div class="blockof code"># WASD_CONFIG_MAP # general and WebDAV access (order is important) user /~*/dav/* /*/www/* webdav=profile notepad=webdav user /~*/dav /*/www webdav=profile notepad=webdav if (pass:-1 && notepad:webdav) pass /~*/dav/* /d1/*/www/* if (pass:-1 && notepad:webdav) pass /~*/dav/* /d2/*/www/* user /~*/* /*/www/* dir=access if (pass:-1) pass /~*/* /d1/*/www/* if (pass:-1) pass /~*/* /d2/*/www/* </div> <p> The four WebDAV access rules are located before the three general user access rules. The WebDAV rules are more specific. The first USER rule maps subdirectories - and the parent if a trailing slash is included. The second USER rule maps the parent directory for user agents that do not include trailing slash on their directory specifications (most it seems). <p> The second pair of rules <span class="high italic">reverse-maps</span> the VMS file-system specifications represented by the <span class="high italic">result</span> (right side) of the PASS rule into the path represented by the <span class="high italic">template</span> (left side) of the PASS rule. Mapping from file-specifications to paths is necessary because of the way the PROPFIND method searches the file-system and then reports its results to the client as URLs. <p> The use of the <span class="high italic">notepad</span> rule with a string of "webdav" (the actual string is not significant as long as it is unique within the rules) is used to conditionally process the reverse-mapping rules. They will be applied only to the requests originally mapped by the USER rules. The <span class="high italic">pass:-1</span> ensures the rules are only applied during reverse-mapping, not during request mapping. <p> The fifth rules maps general Web access to the user area. Remember, web access is to a user home subdirectory [.WWW]. <p> The sixth and seventh rules <span class="high italic">reverse-map</span> the VMS file-system specifications for the general USER rules for similar reasons to those described above. Why two? The user directories occur across two disk volumes and so each must be reverse-mapped. <div class="blockof code"># WASD_CONFIG_AUTH ["VMS username/password"=WASD_VMS_RW=id] /~*/dav/* read+write,profile,https: /~*/dav read+write,profile,https: </div> <p> As noted above, WASD WebDAV requires both mapping and authorization rules (even for "world" - or non-authenticated - access). <p> In this case authorisation is only required for WebDAV access. There are two rules. The first authorises subdirectories and parent directories for agents that supply a trailing slash. The second for agents that do not provide a trailing slash. <a id="6.2.6.0.1" href="#"></a> <a id="6.2.6.whyusehellip" href="#"></a> <a id="whyusehellip" href="#"></a> <h5 class="head"><span class="text">Why use …</span></h5> <p> … two rules for each location? Why <div class="blockof code">user /~*/dav/* /*/www/* user /~*/dav /*/www </div> rather than <div class="blockof code">user /~*/dav* /*/www* </div> which would accomplish a <span class="high italic">similar</span> result? <p> For finer control. The first only matches requests with a path of "/~user/dav/subdir/" and "/~user/dav", whereas the latter matches "/~user/dav/subdir/" and "/~user/dav" and "/~user/david/" and "/~user/davros", etc. <a id="6.3" href="#"></a> <a id="6.3.webdavmetadata" href="#"></a> <a id="webdavmetadata" href="#"></a> <h2 class="head"><span class="numb">6.3</span><span class="text">WebDAV Metadata</span></h2> <p> Metadata is data (information) about data. WebDAV uses the concept of a resource <span class="high italic">property</span>. There are "live" properties and "dead" properties. Essentially the live properties are the dynamic characteristics of a file-system object represented by creation and modification date-times, object size, etc. WebDAV dead properties are those supplied by WebDAV clients as XML entities and stored associated with the particular WebDAV object, in WASD's case the file-system object (file or directory). WASD also uses the file metadata to store resource lock data (see <a class="link" href="#6.4.webdavlocking">6.4 WebDAV Locking</a>). <a id="6.3.0.0.1" href="#"></a> <a id="6.3.metadatafiles" href="#"></a> <a id="metadatafiles" href="#"></a> <h5 class="head"><span class="text">Metadata Files</span></h5> <p> WASD manages resource metadata using a separate file associated by name with the data file. This is done for reasons of programmatic simplicity and for the convenience of any command-line owner or sysadmin of the resources. No specialised tools are required. This metadata file can be stored in one of three locations. <ol class="list"> <li class="item"> By default, WASD uses a metadata file in the same directory and the same name with "__wasdav" appended to the extension (type). All non-WebDAV WASD functionality ignores "*.*__wasdav;" files (e.g. directory listing, file GET). Of course other applications (e.g. directory listing) do not. <div class="blockof code">$ DIRECTORY/SIZE/DATE 01234*.* Directory WEB:[DAVweb] 01234^.56789.TXT;1 0.50KB 8-JUN-2009 23:07:19.26 01234^.56789.txt__wasdav;1 1KB 19-JUN-2009 03:20:34.50 0123456789.TXT;1 0.50KB 8-JUN-2009 23:06:59.16 0123456789.txt__wasdav;1 1KB 19-JUN-2009 03:19:14.67 </div> <li class="item"> An alternate but still <span class="high italic">local</span> location, is in the WASD_CONFIG_GLOBAL [WebDAVmetadir] globally specified, or per-path <span class="high italic">SET /path webdav=meta=dir</span> directives. If specified as a subdirectory the metadata file is stored in a subdirectory of the data file directory using the same name with "__wasdav" appended to the extension (type). This is owned by the owner of the parent directory. The metadata directory does not appear in WASD WebDAV or file system listings. Choose something unique as the name cannot be used elsewhere in WebDAV space. <p> For example, with the global directive <div class="blockof code"># WASD_CONFIG_GLOBAL [WebDAVmetaDir] [.^.dav] </div> specifying a subdirectory with a name containing a leading period (i.e. a U*x <span class="high italic">hidden</span> file), the data files <div class="blockof code">Directory WEB:[DAVweb] 01234^.56789.TXT;1 0.50KB 8-JUN-2009 23:07:19.26 0123456789.TXT;1 0.50KB 8-JUN-2009 23:06:59.16 </div> would have the associated metadata files <div class="blockof code">Directory WEB:[DAVweb.^.dav] 01234^.56789.txt__wasdav;1 1KB 19-JUN-2009 03:20:34.50 0123456789.txt__wasdav;1 1KB 19-JUN-2009 03:20:24.77 </div> <li class="item"> The final alternative uses the same directives as above but specifies a full directory path. In this case WebDAV metadata is stored completely separately from the data. This can be anywhere in available file-space. The web server account requires full access to this directory, with the simplest method of ensuring this to give ownership to the directory. This global location is only suitable for ODS-5 volumes. Sixteen hexadecimal named subdirectories are used to partition metadata files with file names generated using data file full name escaped using extended parse syntax. Using this approach a sysadmin can easily locate specific metadata files if required. <p> For example, with the global directive <div class="blockof code"># WASD_CONFIG_GLOBAL [WebDAVmetaDir] DKA0:[WASDAVMETA] </div> the data files <div class="blockof code">Directory WEB:[DAVweb] 01234^.56789.TXT;1 0.50KB 8-JUN-2009 23:07:19.26 0123456789.TXT;1 0.50KB 8-JUN-2009 23:06:59.16 </div> would have the associated metadata files <div class="blockof code">Directory DKA0:[WASDAVMETA.06] web^:^[davweb^]01234^.56789.txt__wasdav;1 1KB 19-JUN-2009 03:21:34.40 web^:^[davweb^]0123456789.txt__wasdav;1 1KB 19-JUN-2009 03:21:14.67 </div> </ol> <a id="6.3.0.0.2" href="#"></a> <a id="6.3.directorymetadata" href="#"></a> <a id="directorymetadata" href="#"></a> <h5 class="head"><span class="text">Directory Metadata</span></h5> <p> The metadata file associated with a directory is stored in the same metadata location as files contained by that directory (not in the metadata location associated with the parent directory that contains the directory file). This metadata file is named ".DIR__wasdav" (i.e. no name, just an extension), with the following example illustrating how this would appear in each of the three metadata locations, for a subdirectory named "New Folder". <div class="blockof code">WEB:[DAVweb.New^_Folder].DIR__wasdav;1 WEB:[DAVweb.New^_Folder.^.dav].DIR__wasdav;1 DKA0:[WASDAVMETA.06]web^:^[davweb^.new^_folder^].dir__wasdav;1 </div> <a id="6.3.0.0.3" href="#"></a> <a id="6.3.metadataxml" href="#"></a> <a id="metadataxml" href="#"></a> <h5 class="head"><span class="text">Metadata XML</span></h5> <p> All metadata is stored using XML. Multiple XML data can be contained in a single metadata file. Each can be individually manipulated by a WebDAV client. The property elements are stored as-supplied by the client. It is presumed that their XML well-formedness is guaranteed by the original request XML parsing. Metadata files have content similar to the following: <div class="blockof code">$ TYPE 0123456789.txt__wasdav;1 <?xml version="1.0" encoding="UTF-8"?> <WASDAV:data xmlns:WASDAV="WASD.VMS.WebDAV" updated="2009-06-18T17:49:14Z 19-JUN-2009 03:19:14"> <WASDAV:lock token="opaquelocktoken:4D462D61B0E0427F19B425EBEEF2CFF6" depth="0" type="write" scope="exclusive" timeout="Second-86400" expires="2009-06-20T22:49:14Z 21-JUN-2009 08:19:14"> <WASDAV:owner><NS:href xmlns:NS="DAV:">MGD</NS:href></WASDAV:owner> </WASDAV:lock> <WASDAV:prop> <NS:one xmlns:NS="two">three</NS:one> </WASDAV:prop> <WASDAV:prop> <NS:four xmlns:NS="five">six</NS:four> </WASDAV:prop> <WASDAV:prop> <NS:seven xmlns:NS="eight">nine</NS:seven> </WASDAV:prop> </WASDAV:data> </div> <p> This metadata example contains four properties; an exclusive write lock owned by "MGD" and three set by a client in three different (contrived) namespaces. <div class="note"> <a id="6.3.0.0.4" href="#"></a> <a id="6.3.metadatashouldnotbeeditedmanually" href="#"></a> <a id="metadatashouldnotbeeditedmanually" href="#"></a> <h5 class="head center"><span class="text">Metadata should not be edited manually ...</span></h5> <hr class="note_hr"> … unless you really, really know what you're doing. WASD deletes meta-data files it does not understand or otherwise considers damaged (with some resultant loss of information). Of course you can, for example to remove a lock on a resource, but you run the (small) risk of a "lost-update" and other complications. And, again of course, full metadata can be deleted at the command-line. <hr class="note_hr"> </div> <a id="6.3.0.0.5" href="#"></a> <a id="6.3.microsoftmetadata" href="#"></a> <a id="microsoftmetadata" href="#"></a> <h5 class="head"><span class="text">Microsoft Metadata</span></h5> <p> An example of such property meta-data generated by a Microsoft Windows (not Internet) Explorer client (example wrapped for presentation): <div class="blockof code"><?xml version="1.0" encoding="UTF-8"?> <WASDAV:data xmlns:WASDAV="WASD.VMS.WebDAV" updated="2007-07-23T01:39:11Z"> <WASDAV:prop> <NS:Win32CreationTime xmlns:NS="urn:schemas-microsoft-com:"> Tue, 26 Jun 2007 02:00:48 GMT</NS:Win32CreationTime> </WASDAV:prop> <WASDAV:prop> <NS:Win32LastAccessTime xmlns:NS="urn:schemas-microsoft-com:"> Mon, 23 Jul 2007 01:52:32 GMT</NS:Win32LastAccessTime> </WASDAV:prop> <WASDAV:prop> <NS:Win32LastModifiedTime xmlns:NS="urn:schemas-microsoft-com:"> Mon, 23 Jul 2007 01:52:32 GMT</NS:Win32LastModifiedTime> </WASDAV:prop> <WASDAV:prop> <NS:Win32FileAttributes xmlns:NS="urn:schemas-microsoft-com:"> 00000020</NS:Win32FileAttributes> </WASDAV:prop> </WASDAV:data> </div> <p> Every file written or modified by <span class="high italic">Windows Explorer</span> generates this sort of metadata which is then stored in an associated metadata file and read each time the data file is accessed. Some might consider this unnecessary clutter in most circumstances (I do). WASD allows this metadata to be suppressed and equivalent data generated (fudged) from file <span class="high italic">live</span> properties when accessed - often sufficient for purpose. To suppress the actual processing of <span class="high italic">Windows Explorer</span> metadata set a path using the WEBDAV=NOWINPROP in WASD_CONFIG_MAP. <div class="blockof code">set /webdav/* webdav=NOwinprop </div> <a id="6.4" href="#"></a> <a id="6.4.webdavlocking" href="#"></a> <a id="webdavlocking" href="#"></a> <h2 class="head"><span class="numb">6.4</span><span class="text">WebDAV Locking</span></h2> <p> For efficiency and functionality considerations WebDAV locking may be enabled and disabled (default) as global functionality using the WASD_CONFIG_GLOBAL [WebDAVlocking] directive. Additionally the WEBVDAV=[NO]LOCKING path SETing can configure this on a per-path basis. <a id="6.4.0.0.1" href="#"></a> <a id="6.4.writeaccessonly" href="#"></a> <a id="writeaccessonly" href="#"></a> <h5 class="head"><span class="text">Write Access Only</span></h5> <p> In common with RFC 4918 WASD WebDAV locking controls only write access. Both exclusive and shared locks are provided. Locking applies to the DELETE, LOCK, MKCOL, MOVE, PROPPATCH, PUT, and UNLOCK methods. <a id="6.4.0.0.2" href="#"></a> <a id="6.4.lockingdepth" href="#"></a> <a id="lockingdepth" href="#"></a> <h5 class="head"><span class="text">Locking Depth</span></h5> <p> WASD WebDAV locking checks parent collections to a configurable depth. WASD_CONFIG_GLOBAL directive [WebDAVlockCollectionDepth] where the default (0 or 1) checks only WebDAV locking on files, 2 WebDAV locking on the parent directory, 3 on the grandparent, 4 the great-grandparent, etc. Of course each level can add significant latency (and expense) to some operations. <div class="note"> <a id="6.4.0.0.3" href="#"></a> <a id="6.4.lockdepth0" href="#"></a> <a id="lockdepth0" href="#"></a> <h5 class="head center"><span class="text">Lock Depth 0</span></h5> <hr class="note_hr"> Real world experience has suggested locking depth should be maintained at the default 0 (or 1), allowing the client explicitly to manage and negotiate hierarchies of locking if required. WebDAV clients (probably correctly) assume a minimally compliant and relatively unsophisticated WebDAV server. <hr class="note_hr"> </div> <p> For more information on locking operation and implementation details see the DAVLOCK.C module and for meta-data in general the DAVMETA.C module. <a id="6.4.0.0.4" href="#"></a> <a id="6.4.lockingtimeout" href="#"></a> <a id="lockingtimeout" href="#"></a> <h5 class="head"><span class="text">Locking Timeout</span></h5> <p> When a client locks a resource it can specify the period for the lock. In the absence of such a specification WASD will apply the [WebDAVlockTimeoutDefault] value (by default 0-01:00:00 - one hour). WASD also applies the [WebDAVlockTimeoutMax] maximum lock period (by default 7-00:00:00 - one week). When the maximum period expires the lock is no longer valid. <a id="6.4.0.0.5" href="#"></a> <a id="6.4.vmsdlmlocking" href="#"></a> <a id="vmsdlmlocking" href="#"></a> <h5 class="head"><span class="text">VMS DLM Locking</span></h5> <p> WASD uses VMS locking to queue and arbitrate access to WebDAV resources and meta-files. <p> Two lock modes are employed; 'exclusive', when changes are to be made to the resource or its meta-data, and 'concurrent read', when resource and/or meta-data are only to be read. Concurrent read locks are compatible, but an exclusive queued against a resource currently being read waits, as does a read against a current exclusive. <p> WASD takes out its own VMS DLM locks on resources (files and directories) before beginning any WebDAV operation, and these prevent conflict with other WASD WebDAV operations on the same system or cluster, but RMS does not use these nor does WASD use RMS locks (except when actually acessing the file-system of course), and so there is potential for interactions between the two domains (in common with general file-system actvities). WASD WebDAV deliberately does not try to block file-system actions from other processing (except where RMS locks/blocks). Its own DLM locking is purely for internal purposes. <a id="6.5" href="#"></a> <a id="6.5.somewrinkles" href="#"></a> <a id="somewrinkles" href="#"></a> <h2 class="head"><span class="numb">6.5</span><span class="text">Some Wrinkles</span></h2> <p> Some application/environment-specific considerations when using WASD WebDAV. Please report any you encounter for future inclusion in this section. Also see <a class="link" href="#6.6.microsoftmiscellanea">6.6 Microsoft Miscellanea</a> immediately below. <a id="6.5.1" href="#"></a> <a id="6.5.1.osxfinder" href="#"></a> <a id="osxfinder" href="#"></a> <h3 class="head"><span class="numb">6.5.1</span><span class="text">OS X Finder</span></h3> <p> OS X Finder requires [WebDAVlocking] enabled for read/write access, otherwise access will be read-only. <a id="6.5.2" href="#"></a> <a id="6.5.2.gnomegvfsnautilus" href="#"></a> <a id="gnomegvfsnautilus" href="#"></a> <h3 class="head"><span class="numb">6.5.2</span><span class="text">Gnome/gvfs/Nautilus</span></h3> <br>As at publication, <span class="high italic">Gnome/gvfs/Nautilus</span> has quite a number of behavioural problems with associated Bugzilla items. Don't expect it to behave well! This has been my experience. <a id="6.5.3" href="#"></a> <a id="6.5.3.dreamweaver" href="#"></a> <a id="dreamweaver" href="#"></a> <h3 class="head"><span class="numb">6.5.3</span><span class="text">Dreamweaver</span></h3> <p> Dreamwever 8 (at least, the only version I have access to) insists on using a URI with a trailing "/./" occasionally (I'm guessing to specify the "current" directory - cf. "/../", or "parent" syntax). Just absorb this internally using an appropriate mapping internal redirect. <div class="blockof code">redirect /webdav/**/./ /webdav/*/ </div> <a id="6.6" href="#"></a> <a id="6.6.microsoftmiscellanea" href="#"></a> <a id="microsoftmiscellanea" href="#"></a> <h2 class="head"><span class="numb">6.6</span><span class="text">Microsoft Miscellanea</span></h2> <p> A cornucopia of of minor and major considerations! <div class="note"> <a id="6.6.0.0.1" href="#"></a> <a id="6.6.muchofthisisprewindows10" href="#"></a> <a id="muchofthisisprewindows10" href="#"></a> <h5 class="head center"><span class="text">much of this is pre- Windows 10</span></h5> <hr class="note_hr"> and relates to Windows 7, Windows XP and possibly earlier. Windows 10 and WebDAV behaviour is very much an unknown quantity. The following information continues to be included for historical reference only. <hr class="note_hr"> </div> <p> Microsoft approach WebDAV in their own inimitable fashion. Hence Microsoft agents, considering their ubiquity, including their mini-redirector are specifically looked for and functionality modified to accomodate them. <p> The following is a list topics/issues that were encountered/investigated during WASD WebDAV development. They may or may not be applicable to your site. <p> Some general references: <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="http://greenbytes.de/tech/webdav/webdav-redirector-list.html">http://greenbytes.de/tech/webdav/webdav-redirector-list.html</a> <li class="item"> <a class="link blank" target="_blank" href="http://greenbytes.de/tech/webdav/webfolder-client-list.html">http://greenbytes.de/tech/webdav/webfolder-client-list.html</a> <li class="item"> <a class="link blank" target="_blank" href="http://www.zorched.net/2006/03/01/more-webdav-tips-tricks-and-bugs/">http://www.zorched.net/2006/03/01/more-webdav-tips-tricks-and-bugs/</a> <li class="item"> <a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/documentation/troubleshooting">http://www.webdavsystem.com/server/documentation/troubleshooting</a> <li class="item"> <a class="link blank" target="_blank" href="http://www.webdavsystem.com/documentation/troubleshooting">http://www.webdavsystem.com/documentation/troubleshooting</a> <li class="item"> <a class="link blank" target="_blank" href="http://code.google.com/p/sabredav/wiki/Windows">http://code.google.com/p/sabredav/wiki/Windows</a> <li class="item"> <a class="link blank" target="_blank" href="http://ulihansen.kicks-ass.net/aero/webdav/">http://ulihansen.kicks-ass.net/aero/webdav/</a> <li class="item"> <a class="link blank" target="_blank" href="http://chapters.marssociety.org/webdav/">http://chapters.marssociety.org/webdav/</a> </ul> <p> DOS/Windows command-line network configuration: <div class="blockof code">C:\> NET USE Z: http://the.host.name/folder/ C:\> NET USE Z: /DELETE </div> <a id="6.6.1" href="#"></a> <a id="6.6.1.mapping" href="#"></a> <a id="mapping" href="#"></a> <h3 class="head"><span class="numb">6.6.1</span><span class="text">Mapping</span></h3> <p> Microsoft agents (at least) seem to request the server OPTIONS of the server root regardless of any path provided with the NET USE or other network drive mapping employed. To selectively map such a request into a path that has WebDAV enabled on it (and will therefore respond with the DAV-related options) use a conditional redirect rule. For example <div class="blockof code">if (webdav:) if (request-method:OPTIONS) redirect / /dav-path/ endif </div> or if only required for MS agents then something more specific <div class="blockof code">if (webdav:MSagent) if (request-method:OPTIONS) redirect / /dav-path/ endif </div> <p> Subsequent rules will probably be required to map typeless directory requests to the actual directory required. <div class="blockof code">redirect /dav-path /dav-path/ pass /dav-path/* /dav_root/* webdav=read </div> <a id="6.6.2" href="#"></a> <a id="6.6.2.frontpageextensions" href="#"></a> <a id="frontpageextensions" href="#"></a> <h3 class="head"><span class="numb">6.6.2</span><span class="text">FrontPage Extensions</span></h3> <p> Requests containing paths /_vti_inf.html and /_vti_bin/* are related to FrontPage protocol discovery probing. They can be adequately handled using a mapping rule lsuch as the following: <div class="blockof code">pass /_vti_* "404 Not an MS platform!" </div> <a id="6.6.3" href="#"></a> <a id="6.6.3.avoidingmicrosoftpropertyclutter" href="#"></a> <a id="avoidingmicrosoftpropertyclutter" href="#"></a> <h3 class="head"><span class="numb">6.6.3</span><span class="text">Avoiding Microsoft Property Clutter</span></h3> <p> See <a class="link" href="#6.3.microsoftmetadata">‘Microsoft Metadata’ in 6.3 WebDAV Metadata</a>. <a id="6.6.4" href="#"></a> <a id="6.6.4.optionsheaderquotmsauthorviadavquot" href="#"></a> <a id="optionsheaderquotmsauthorviadavquot" href="#"></a> <h3 class="head"><span class="numb">6.6.4</span><span class="text">OPTIONS header "MS-Author-Via: DAV"</span></h3> <ul class="list simple"> <li class="item"> <a class="link blank" target="_blank" href="http://msdn2.microsoft.com/en-us/library/ms691698.aspx">http://msdn2.microsoft.com/en-us/library/ms691698.aspx</a> </ul> <p> If the server's response does not contain an MS-Author-Via header, the OLE DB Provider for Internet Publishing loads the WEC and WebDAV protocol drivers one at a time (WEC first, WebDAV second) and asks them, "Do you know how to handle this URL?", specifying the exact URL passed in by the client. The first protocol which responds "yes" is selected. If neither protocol driver responds "yes" then the method which triggered the automatic driver selection (usually IBindResource::Bind) fails with an OLE DB Provider for Internet Publishing specific error code IPP_E_SERVERTYPE_NOT_SUPPORTED. <a id="6.6.5" href="#"></a> <a id="6.6.5.repairingbrokenxpwebfolders" href="#"></a> <a id="repairingbrokenxpwebfolders" href="#"></a> <h3 class="head"><span class="numb">6.6.5</span><span class="text">Repairing broken XP Web Folders</span></h3> <ul class="list simple"> <li class="item"> <a class="link blank" target="_blank" href="http://chapters.marssociety.org/webdav/">http://chapters.marssociety.org/webdav/</a> </ul> <p> Some Windows XP machines have a broken Web Folders installation. Microsoft includes a Web Folders repair utility built in to Windows to correct the problem. Use the following steps to fix the problem: <ol class="list"> <li class="item"> Click on the "Start" menu in the lower left corner, and select "Run..." <li class="item"> Type in "webfldrs.msi" and click the "OK" button. <li class="item"> Click on the "Select reinstall mode" button. <li class="item"> Select *ALL* of the checkboxes *except* for the second one ("Reinstall only if file is missing"). <li class="item"> Click on the "OK" button. <li class="item"> Click on the "Reinstall" button. <li class="item"> After the reinstallation is complete, reboot the computer. </ol> <a id="6.6.6" href="#"></a> <a id="6.6.6.addingaportnumbertothewebfolderaddress" href="#"></a> <a id="addingaportnumbertothewebfolderaddress" href="#"></a> <h3 class="head"><span class="numb">6.6.6</span><span class="text">Adding a port number to the webfolder-address</span></h3> <p> Attach the port-number (80 by default) to the http-address you enter into the field of the "My Network Places"-assistant. As you can see in the following image and the linked screenshot, this will force Windows XP to use the "Microsoft Data Access Internet Publishing Provider DAV 1.1" mechanism instead of "Microsoft-WebDAV-MiniRedir/5.1.2600". <a id="6.6.7" href="#"></a> <a id="6.6.7.addinganumbersignquotquottothewebfolderaddress" href="#"></a> <a id="addinganumbersignquotquottothewebfolderaddress" href="#"></a> <h3 class="head"><span class="numb">6.6.7</span><span class="text">Adding a number-sign ("#") to the webfolder-address</span></h3> <p> It is also possible to add the number sign # to the http-address you enter into the field of the "My Network Places"-assistant. As you can see in the following image and the linked screenshot, this will also force Windows XP to use the "Microsoft Data Access Internet Publishing Provider DAV 1.1" mechanism instead of "Microsoft-WebDAV-MiniRedir/5.1.2600". <div class="blockof code">http://the.host.name/folder# </div> <a id="6.6.8" href="#"></a> <a id="6.6.8.forcewindowsxptousebasicauthentication" href="#"></a> <a id="forcewindowsxptousebasicauthentication" href="#"></a> <h3 class="head"><span class="numb">6.6.8</span><span class="text">Force Windows XP to use Basic Authentication</span></h3> <p> There is a third way to get this working from the client-site. As described in the Microsoft Knowledge Base, Article ID: 841215, Windows XP disables "Basic Auth" in his "Microsoft-WebDAV-MiniRedir/5.1.2600"-mechanism by default for security reasons. See description below. <a id="6.6.9" href="#"></a> <a id="6.6.9.microsoftxpexplorerbasicauthentication" href="#"></a> <a id="microsoftxpexplorerbasicauthentication" href="#"></a> <h3 class="head"><span class="numb">6.6.9</span><span class="text">Microsoft XP Explorer BASIC Authentication</span></h3> <ul class="list simple"> <li class="item"> <a class="link blank" target="_blank" href="http://www.microsoft.com/technet/prodtechnol/winxppro/\maintain/sp2netwk.mspx">http://www.microsoft.com/technet/prodtechnol/winxppro/\maintain/sp2netwk.mspx</a> </ul> <p> You can enable BasicAuth by adding the following registry key and setting it to a non-zero value: <div class="blockof code">HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\WebClient\Parameters\UseBasicAuth (DWORD) </div> <p> If you delete the registry key or set it to 0, the behavior reverts to the default, or disabling the use of BasicAuth. <p> Disabling Basic Authentication over a clear channel: <p> Because the DAVRdr is part of the remote file-system stack, a computer is open to attack whenever an attempt is made to remotely access files. Although the threat to other applications that use the Internet APIs is less severe than it is for the DAVRdr, a similar attack is possible whenever an application (or the user) attempts to access a URL. For this reason, WinInet is exposing the mechanism by which the DAVRdr disables BasicAuth to other users of the Internet APIs. <p> With Windows XP Service Pack 2, there are two ways to block the use of Basic Authentication over clear (or unencrypted) channels: <p> Create the following registry key and set it to a non-zero value. <div class="blockof code">HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion \InternetSettings\DisableBasicOverClearChannel (DWORD) </div> <p> This prevents WININET from attempting to use BasicAuth unless the channel is secured (HTTPS or SSL). <p> The application can disable the use of BasicAuth for its connections by setting the AUTH_FLAG_DISABLE_BASIC_CLEARCHANNEL flag (0x4) in the value supplied in the call to InternetSetOption using INTERNET_OPTION_AUTH_FLAGS. <p> <span class="high bold"> AND THEN RESTART WINDOWS ***</span> <a id="6.6.10" href="#"></a> <a id="6.6.10.microsoftwindows7basicauthentication" href="#"></a> <a id="microsoftwindows7basicauthentication" href="#"></a> <h3 class="head"><span class="numb">6.6.10</span><span class="text">Microsoft Windows 7 BASIC Authentication</span></h3> <p> You can enable BasicAuth by setting the following registry key to the value 3 and restarting the WebClient service: <div class="blockof code">HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\WebClient\Parameters\BasicAuthLevel (DWORD) </div> <a id="6.6.11" href="#"></a> <a id="6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved" href="#"></a> <a id="error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved" href="#"></a> <h3 class="head"><span class="numb">6.6.11</span><span class="text">Error 0x800700DF: The file size exceeds the limit allowed and cannot be saved</span></h3> <p> "In my case I try to copy file over WEBDAV to WEB Client connection e.g. I have mapped drive to web site. file is about 70MB I can copy small files from the same WEBDav folder." <div class="blockof code">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters </div> <ol class="list"> <li class="item"> Right click on the FileSizeLimitInBytes and click Modify <li class="item"> Click on Decimal <li class="item"> In the Value data box, type 4294967295, and then click OK. Note this sets the maximum you can download from the Webdav to 4 gig at one time, I havent figured out how to make it unlimited so if you want to download more you need to split it up. </ol> <ul class="list simple"> <li class="item"> <a class="link blank" target="_blank" href="http://social.answers.microsoft.com\/Forums/en/xphardware/thread/d208bba6-920c-4639-bd45-f345f462934f">http://social.answers.microsoft.com\/Forums/en/xphardware/thread/d208bba6-920c-4639-bd45-f345f462934f</a> </ul> <a id="6.7" href="#"></a> <a id="6.7.references" href="#"></a> <a id="references" href="#"></a> <h2 class="head"><span class="numb">6.7</span><span class="text">References</span></h2> <p> These are the resources used during WASD WebDAV development. <ul class="list"> <li class="item"> WebDAV in general: <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="http://webdav.org/">http://webdav.org/</a> <li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Webdav">http://en.wikipedia.org/wiki/Webdav</a> <li class="item"> <a class="link blank" target="_blank" href="http://tools.ietf.org/html/rfc4918">http://tools.ietf.org/html/rfc4918</a> <li class="item"> <a class="link blank" target="_blank" href="http://tools.ietf.org/html/rfc4331">http://tools.ietf.org/html/rfc4331</a> (quota) <li class="item"> <a class="link blank" target="_blank" href="http://tools.ietf.org/html/rfc2518">http://tools.ietf.org/html/rfc2518</a> (obsoleted by RFC 4918) </ul> <li class="item"> WebDAV: Next-Generation Collaborative Web Authoring <br>Lisa Dusseault, 2003 ISBN: 0130652083 <li class="item"> Using Expat by Clark Cooper: <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="http://en.wikipedia.org/wiki/Expat_(XML)">http://en.wikipedia.org/wiki/Expat_(XML)</a> <li class="item"> <a class="link blank" target="_blank" href="http://www.xml.com/pub/a/1999/09/expat/index.html">http://www.xml.com/pub/a/1999/09/expat/index.html</a> <li class="item"> <a class="link blank" target="_blank" href="http://www.xml.com/lpt/a/47">http://www.xml.com/lpt/a/47</a> </ul> </ul> <a id="6.7.0.0.1" href="#"></a> <a id="6.7.clienttools" href="#"></a> <a id="clienttools" href="#"></a> <h5 class="head"><span class="text">Client Tools</span></h5> <p> All these have been used during WASD WebDAV development. <ul class="list"> <li class="item">A comprehensive but not exhaustive list <br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/">http://www.webdavsystem.com/server/access/</a> <br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/clients_comparison">http://www.webdavsystem.com/server/access/clients_comparison</a> <li class="item">DAVExplorer - a Java-based GUI Explorer-style file navigation tool <br><a class="link blank" target="_blank" href="http://www.davexplorer.org/">http://www.davexplorer.org/</a> <li class="item">cadaver - a command-line WebDAV client for *x <br><a class="link blank" target="_blank" href="http://www.webdav.org/cadaver/">http://www.webdav.org/cadaver/</a> <li class="item">davfs2 - a mountable WebDAV file-system for Linux <br><a class="link blank" target="_blank" href="http://savannah.nongnu.org/projects/davfs2">http://savannah.nongnu.org/projects/davfs2</a> <li class="item">The WebDAV URL handling of KDE 4.2 Dolphin (v1.2) <br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/konqueror">http://www.webdavsystem.com/server/access/konqueror</a> (yup, I know!) <br>In contrast to Gnome as reported below, KDE and its KIO/Dolphin behave extrordinarily well. <li class="item">The WebDAV URL handling of Gnome Nautilus (2.26.2, gvfs/1.2.2) <br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/gnome_nautilus">http://www.webdavsystem.com/server/access/gnome_nautilus</a> <br>As at publication, <span class="high bold">Gnome/gvfs/Nautilus has quite a number of behavioural problems</span> with associated Bugzilla items. Don't expect it to behave reasonably! <li class="item">The WebDAV handling of Apple Mac macOS X Finder <br><a class="link blank" target="_blank" href="http://www.webdavsystem.com/server/access/macosx">http://www.webdavsystem.com/server/access/macosx</a> <li class="item">Windows Explorer - and the associated mini-director, et.al., on XP (not Vista). <br>See below. <li class="item">Another Windows option - try before you buy (i.e. commercial product). <br>"WebDrive is more than just an FTP Client." Indeed! It's functional WebDAV drive-letter client. <br><a class="link blank" target="_blank" href="http://www.webdrive.com/">http://www.webdrive.com/</a> <li class="item"> <span class="high bold">And if you really need effective WebDAV on a Windows platform ...</span> <br>"BitKinex integrates the fuctionality of an innovative FTP, SFTP and WebDAV client for Windows." <br><span class="high bold">And it's FREEWARE!</span> <br><a class="link blank" target="_blank" href="http://www.bitkinex.com/">http://www.bitkinex.com/</a> </ul> <!-- source:0700_PROXY.WASDOC --> <hr class="page"> <a id="7." href="#"></a> <a id="7.proxyservices" href="#"></a> <a id="proxyservices" href="#"></a> <h1 class="head"><span class="numb">7.</span><span class="text">Proxy Services</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#7.1.httpproxyserving"><span class="numb">7.1</span><span class="text">HTTP Proxy Serving</span></a> <tr><td><a href="#7.1.1.enablingaproxyservice"><span class="numb">7.1.1</span><span class="text">Enabling A Proxy Service</span></a> <tr><td><a href="#7.1.2.proxyaffinity"><span class="numb">7.1.2</span><span class="text">Proxy Affinity</span></a> <tr><td><a href="#7.1.3.proxybind"><span class="numb">7.1.3</span><span class="text">Proxy Bind</span></a> <tr><td><a href="#7.1.4.proxychaining"><span class="numb">7.1.4</span><span class="text">Proxy Chaining</span></a> <tr><td><a href="#7.1.5.controllingproxyserving"><span class="numb">7.1.5</span><span class="text">Controlling Proxy Serving</span></a> <tr><td><a href="#7.2.proxycache"><span class="numb">7.2</span><span class="text">Proxy Cache</span></a> <tr><td><a href="#7.3.connectserving"><span class="numb">7.3</span><span class="text">CONNECT Serving</span></a> <tr><td><a href="#7.3.1.enablingconnectserving"><span class="numb">7.3.1</span><span class="text">Enabling CONNECT Serving</span></a> <tr><td><a href="#7.3.2.controllingconnectserving"><span class="numb">7.3.2</span><span class="text">Controlling CONNECT Serving</span></a> <tr><td><a href="#7.4.socksversion5"><span class="numb">7.4</span><span class="text">SOCKS Version 5</span></a> <tr><td><a href="#7.5.ftpproxyserving"><span class="numb">7.5</span><span class="text">FTP Proxy Serving</span></a> <tr><td><a href="#7.5.1.ftpquerystringkeywords"><span class="numb">7.5.1</span><span class="text">FTP Query String Keywords</span></a> <tr><td><a href="#7.5.2.quotloginquotkeyword"><span class="numb">7.5.2</span><span class="text">"login" Keyword</span></a> <tr><td><a href="#7.6.gatewayingusingproxy"><span class="numb">7.6</span><span class="text">Gatewaying Using Proxy</span></a> <tr><td><a href="#7.6.1.reverseproxy"><span class="numb">7.6.1</span><span class="text">Reverse Proxy</span></a> <tr><td><a href="#7.6.2.proxyrework"><span class="numb">7.6.2</span><span class="text">Proxy Rework</span></a> <tr><td><a href="#7.6.3.oneshotproxy"><span class="numb">7.6.3</span><span class="text">One-Shot Proxy</span></a> <tr><td><a href="#7.6.4.dnswildcardproxy"><span class="numb">7.6.4</span><span class="text">DNS Wildcard Proxy</span></a> <tr><td><a href="#7.6.5.originatingssl"><span class="numb">7.6.5</span><span class="text">Originating SSL</span></a> <tr><td><a href="#7.7.tunnelingusingproxy"><span class="numb">7.7</span><span class="text">Tunneling Using Proxy</span></a> <tr><td><a href="#7.7.1.serviceproxytunnelconnect"><span class="numb">7.7.1</span><span class="text">[ServiceProxyTunnel] CONNECT</span></a> <tr><td><a href="#7.7.2.serviceproxytunnelraw"><span class="numb">7.7.2</span><span class="text">[ServiceProxyTunnel] RAW</span></a> <tr><td><a href="#7.7.3.serviceproxytunnelfirewall"><span class="numb">7.7.3</span><span class="text">[ServiceProxyTunnel] FIREWALL</span></a> <tr><td><a href="#7.7.4.encryptedtunnel"><span class="numb">7.7.4</span><span class="text">Encrypted Tunnel</span></a> <tr><td><a href="#7.7.5.encryptedtunnelwithauthentication"><span class="numb">7.7.5</span><span class="text">Encrypted Tunnel With Authentication</span></a> <tr><td><a href="#7.7.6.sharedsshtunnel"><span class="numb">7.7.6</span><span class="text">Shared SSH Tunnel</span></a> <tr><td><a href="#7.7.7.complexprivatetunneling"><span class="numb">7.7.7</span><span class="text">Complex Private Tunneling</span></a> <tr><td><a href="#7.7.8.tunnellingsource"><span class="numb">7.7.8</span><span class="text">Tunnelling Source</span></a> <tr><td><a href="#7.8.browserproxyconfiguration"><span class="numb">7.8</span><span class="text">Browser Proxy Configuration</span></a> <tr><td><a href="#7.8.1.manual"><span class="numb">7.8.1</span><span class="text">Manual</span></a> <tr><td><a href="#7.8.2.automatic"><span class="numb">7.8.2</span><span class="text">Automatic</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#6.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#8.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> A proxy server acts as an intermediary between Web clients and Web servers. It listens for requests from the clients and forwards these to remote servers. The proxy server then receives the responses from the servers and returns them to the clients. Why go to this trouble? There are several reasons, the most common being: <ul class="list"> <li class="item"> To allow internal clients access to the Internet from behind a firewall. Browsers behind the firewall have full Web access via the proxy system. <li class="item"> To provide controlled access to internal resources for external clients. The proxy server provides a managed gateway through a firewall into an organisation's Web resources. <li class="item"> Many proxy servers provide caching, or local storage, of responses. For frequent or commonly accessed resources this can not only significantly reduce apparent network latency but also greatly reduce the total traffic downloaded by a site. <li class="item"> For anonymity. Although often related directly to firewall security considerations, it can also sometimes be an advantage to just not reveal the exact source of Web transactions from within your local network. </ul> <a id="7.0.0.0.1" href="#"></a> <a id="7.proxyservingquickstart" href="#"></a> <a id="proxyservingquickstart" href="#"></a> <h5 class="head"><span class="text">Proxy Serving Quick-Start</span></h5> <p> No additional software needs to be installed to provide proxy serving. <p> Proxy servering is essentially configured using a combination of configuration directives in WASD_CONFIG_GLOBAL and WASD_CONFIG_SERVICE to enable proxy serving both globally and then for allow a specific service to make outgoing connections, along with mapping directives in WASD_CONFIG_MAP to control and direct those outgoing connections. <p> The following steps provide a brief outline of proxy configuration. <ol class="list"> <li class="item"> Enable proxy serving and specify which particular services are to be proxies (<a class="link" href="#7.1.1.enablingaproxyservice">7.1.1 Enabling A Proxy Service</a> and <a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) <li class="item"> If providing SSL tunneling (proxy of Secure Sockets Layer transactions) add/modify a service for that (<a class="link" href="#7.3.connectserving">7.3 CONNECT Serving</a>). <li class="item"> Add WASD_CONFIG_MAP mapping rules for controlling this/these services (<a class="link" href="#7.1.5.controllingproxyserving">7.1.5 Controlling Proxy Serving</a>, <a class="link" href="#7.3.2.controllingconnectserving">7.3.2 Controlling CONNECT Serving</a>, and <a class="link" href="#7.5.ftpproxyserving">7.5 FTP Proxy Serving</a>). <li class="item"> Restart server (HTTPD/DO=RESTART). </ol> <a id="7.0.0.0.1.1" href="#"></a> <a id="7.proxyerrormessages" href="#"></a> <a id="proxyerrormessages" href="#"></a> <h6 class="head display0"><span class="text">Proxy Error Messages</span></h6> <a id="7.0.0.0.2" href="#"></a> <a id="7.errormessages" href="#"></a> <a id="errormessages" href="#"></a> <h5 class="head"><span class="text">Error Messages</span></h5> <p> When proxy processing is enabled and WASD_CONFIG_GLOBAL directive [ReportBasicOnly] is disabled it is necessary to make adjustments to the contents of the WASD_CONFIG_MSG message configuration file [status] item beginning "Additional Information". Each of the "/httpd/-/status<span class="high italic">nxx</span>.html" links <div class="blockof code"><a href="/httpd/-/status1xx.html">1<i>xx</i></a> <a href="/httpd/-/status2xx.html">2<i>xx</i></a> <a href="/httpd/-/status3xx.html">3<i>xx</i></a> <a href="/httpd/-/status4xx.html">4<i>xx</i></a> <a href="/httpd/-/status5xx.html">5<i>xx</i></a> <a href="/httpd/-/statushelp.html">help</a> </div> should be changed to include a local host component <div class="blockof code"><a href="http://local.host.name/httpd/-/status1xx.html">1<i>xx</i></a> <a href="http://local.host.name/httpd/-/status2xx.html">2<i>xx</i></a> <a href="http://local.host.name/httpd/-/status3xx.html">3<i>xx</i></a> <a href="http://local.host.name/httpd/-/status4xx.html">4<i>xx</i></a> <a href="http://local.host.name/httpd/-/status5xx.html">5<i>xx</i></a> <a href="http://local.host.name/httpd/-/statushelp.html">help</a> </div> <p> If this is not provided the links and any error report will be interpreted by the browser as relative to the server the proxy was attempting to request from and the error explanation will not be accessible. <a id="7.1" href="#"></a> <a id="7.1.httpproxyserving" href="#"></a> <a id="httpproxyserving" href="#"></a> <h2 class="head"><span class="numb">7.1</span><span class="text">HTTP Proxy Serving</span></h2> <p> WASD provides a proxy service for the HTTP scheme (prototcol). <p> Proxy serving generally relies on DNS resolution of the requested host name. DNS lookup can introduce significant latency to transactions. To help ameliorate this WASD incorporates a host name cache. To ensure cache consistency the contents are regularly flushed, after which host names must use DNS lookup again, refreshing the information in the cache. The period of this cache purge is contolled with the [ProxyHostCachePurgeHours] configuration parameter. <p> When a request is made by a proxy server is is common for it to add a line to the request header stating that it is a forwarded request and the agent doing the forwarding. With WASD proxying this line would look something like this: <div class="blockof code">Forwarded: by http://host.name.domain (HTTPd-WASD/8.4.0 OpenVMS/IA64 SSL) </div> It is enabled using the [ProxyForwarded] configuration parameter. <p> An additional, and perhaps more widely used facility, is the Squid extension field to the proxied request header supplying the originating client host name or IP address. <div class="blockof code">X-Forwarded-For: client.host.name </div> It is enabled using the [ProxyXForwardedFor] configuration parameter. <a id="7.1.1" href="#"></a> <a id="7.1.1.enablingaproxyservice" href="#"></a> <a id="enablingaproxyservice" href="#"></a> <h3 class="head"><span class="numb">7.1.1</span><span class="text">Enabling A Proxy Service</span></h3> <p> Proxy serving is enabled on a global basis using the WASD_CONFIG_GLOBAL file [ProxyServing] configuration parameter. After that each virtual service must have proxy functionality enabled as a per-service configuration. <p> WASD can configure services using the WASD_CONFIG_GLOBAL [service] directive, the WASD_CONFIG_SERVICE configuration file, or even the /SERVICE= qualifier. <a id="7.1.1.0.1" href="#"></a> <a id="7.1.1.wasdconfigservice" href="#"></a> <a id="wasdconfigservice" href="#"></a> <h5 class="head"><span class="text">WASD_CONFIG_SERVICE</span></h5> <p> Using directives listed in <a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) this example illustrates configuring a non-proxy server (the <span class="high italic">disabled</span> is the default and essentially redudant) and a proxy service. <div class="blockof code">[[http://alpha.example.com:80]] [ServiceProxy] disabled [[http://alpha.example.com:8080]] [ServiceProxy] enabled </div> <a id="7.1.2" href="#"></a> <a id="7.1.2.proxyaffinity" href="#"></a> <a id="proxyaffinity" href="#"></a> <h3 class="head"><span class="numb">7.1.2</span><span class="text">Proxy Affinity</span></h3> <p> High performance/highly available proxy server configurations require more than one instance configured and running. Whether this is done by running multiple instances on the same host or one instance on multiple hosts, it leads to situations where successive requests will be processed by different instances. As those instances don't share a common name to IP address cache, they will eventually use different IP addresses when trying to connect to an origin server running on multiple hosts. <p> This may result in the following, user visible, issues: <ul class="list"> <li class="item"> multiple requests for authentication (one from each origin host) <li class="item"> loss of icons, images, javascripts, CSS because requests for these files, although they return a 401 status, will not trigger a browser authentication dialog <li class="item"> loss of context and performance issues where scripts/environments need to be started on a new host (php, python, webware,...) </ul> <p> For these reasons, the proxy server will make every effort to relay successive requests from a given client to the same origin host as long as this one is available (built-in failover capability will ultimately trigger the choice of a new host). This is known as client to origin affinity or proxy affinity capability. <p> Proxy to origin server affinity is enabled using the following service configuration directive. <div class="blockof code">[[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyAffinity] enabled </div> <a id="7.1.2.0.1" href="#"></a> <a id="7.1.2.useshttpcookies" href="#"></a> <a id="useshttpcookies" href="#"></a> <h5 class="head"><span class="text">Uses HTTP Cookies</span></h5> <p> Obviously the use of cookies must be enabled in the browser or this facility will not operate for that client. After the first successful connection to an origin host, the proxy server will send a cookie indicating the IP address used to the client browser. Upon subsequent requests, this cookie will be used to select the same host. The cookie is named <span class="high italic">WasdProxyAffinity_origin.host.name</span> and the value simply the IP address in dotted decimal. This cookie is not propagated beyond the proxy service but may be WATCHed by checking the <span class="high italic">Proxy Processing</span> item. <a id="7.1.3" href="#"></a> <a id="7.1.3.proxybind" href="#"></a> <a id="proxybind" href="#"></a> <h3 class="head"><span class="numb">7.1.3</span><span class="text">Proxy Bind</span></h3> <p> It is possible to make the outgoing request appear to originate from a particular source address. The Network Interface must be able to bind to the specified IP address (i.e. it cannot be an arbitrary address). <div class="blockof code">[[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyBind] 131.185.250.1 </div> <p> The same behaviour may be accomplished with an WASD_CONFIG_MAP mapping rule. <div class="blockof code">SET http://*.example.com proxy=bind=131.185.250.1 </div> <a id="7.1.4" href="#"></a> <a id="7.1.4.proxychaining" href="#"></a> <a id="proxychaining" href="#"></a> <h3 class="head"><span class="numb">7.1.4</span><span class="text">Proxy Chaining</span></h3> <p> Some sites may already be firewalled and have corporate proxy servers providing Internet access. It is quite possible to use WASD proxying in this environment, where the WASD server makes the proxied requests via the next proxy server in the hierarchy. This is known as <span class="high italic">proxy chaining</span>. <div class="blockof code">[[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyChain] next.proxy.host </div> <p> Chaining may also be controlled on a virtual service or path basis using an WASD_CONFIG_MAP mapping rule. <div class="blockof code">SET http://*.com proxy=chain=next.proxy.host:8080 </div> <a id="7.1.4.0.1" href="#"></a> <a id="7.1.4.chainauthorization" href="#"></a> <a id="chainauthorization" href="#"></a> <h5 class="head"><span class="text">Chain Authorization</span></h5> <p> If the upstream proxy server requires authorization this may be supplied using a per-service directive <div class="blockof code">[[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyChain] next.proxy.host [ServiceProxyChainCred] basic:<span class="high left italic">username>:<password></span> </div> or via mapping rule <div class="blockof code">SET http://*.com proxy=chain=next.proxy.host:8080 \ proxy=chain=cred=<span class="high italic">basic:<username>:<password></span> </div> <p> The <span class="high italic">basic:</span> keyword allows WASD to appropriately encode the credentials. Basic authentication is the only scheme currently supported. <a id="7.1.5" href="#"></a> <a id="7.1.5.controllingproxyserving" href="#"></a> <a id="controllingproxyserving" href="#"></a> <h3 class="head"><span class="numb">7.1.5</span><span class="text">Controlling Proxy Serving</span></h3> <p> Requests at a service enabled for proxy processing are directed to proxy processing using a fundamental rule which terminates rule processing and initiates the outgoing connection. <div class="blockof code">pass * http:// </div> This rule and variant equivalents for FTP and CONNECT processing, and in combination with other rules to purpose, are seen in the examples in this section on proxy. <p> Controlling both access-to and access-via proxy serving is possible. <a id="7.1.5.0.1" href="#"></a> <a id="7.1.5.proxypassword" href="#"></a> <a id="proxypassword" href="#"></a> <h5 class="head"><span class="text">Proxy Password</span></h5> <p> Access to the proxy service can be directly controlled through the use of WASD authorization. Proxy authorization is distinct from general access authorization. It uses specific <span class="high italic">proxy authorization</span> fields provided by HTTP, and by this allows a proxied transaction to also supply transaction authorization for the remote server. In the WASD_CONFIG_SERVICE configuration file. <div class="blockof code">[[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyAuth] proxy </div> <p> In addition to the service being specified as requiring authorization it is also necessary to configure the source of the authentication. This is done using the WASD_CONFIG_AUTH configuration file. The following example shows all requests for the proxy virtual service must be authorized (GET and well as POST, etc.), although it is possible to restrict access to only read (GET), preventing data being sent out via the server. <div class="blockof code">[[alpha.example.com:8080]] ["Proxy Access"=PROXY_ACCESS=id] http://* read+write </div> <a id="7.1.5.0.2" href="#"></a> <a id="7.1.5.chainpassword" href="#"></a> <a id="chainpassword" href="#"></a> <h5 class="head"><span class="text">Chain Password</span></h5> <p> An up-stream, chained proxy server (<a class="link" href="#7.1.4.proxychaining">7.1.4 Proxy Chaining</a>) may be permitted to receive proxy authentication from the client via a WASD proxy server using the <span class="high monosp">CHAIN</span> keyword. Unconfigured, WASD does not propagate HTTP <span class="high italic">proxy authorization</span> fields. Only one proxy server in a chain can be authenticated against. <div class="blockof code">[[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyAuth] chain </div> <a id="7.1.5.0.3" href="#"></a> <a id="7.1.5.localpassword" href="#"></a> <a id="localpassword" href="#"></a> <h5 class="head"><span class="text">Local Password</span></h5> <p> It is also possible to control proxy access via local authorization, although this is less flexible by removing the ability to then pass authorization information to the remote service. In other repects it is set up in the same way as proxy authorization, but enabled using the <span class="high monosp">LOCAL</span> keyword. <div class="blockof code">[[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyAuth] local </div> <a id="7.1.5.0.4" href="#"></a> <a id="7.1.5.accessfiltering" href="#"></a> <a id="accessfiltering" href="#"></a> <h5 class="head"><span class="text">Access Filtering</span></h5> <p> Extensive control of how, by whom and what a proxy service is used for may be exercised using WASD general and conditional mapping <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) and <a class="link blank" target="_blank" href="../config/#conditionalmapping">Conditional Mapping</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) possibly in the context of a virtual service specification for the particular connect service host and port (see <a class="link blank" target="_blank" href="../config/#virtualservers">Virtual Servers</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). The following examples provide a small indication of how mapping could be used in a proxy service context. <ol class="list"> <li class="item"> It is possible, though more often not practical, to regulate which hosts are connected to via the proxy service. For example, the following rule forbids accessing any site with the string "hacker" in it (for the proxy service "alpha…:8080". <div class="blockof code">[[alpha.example.com:8080]] pass http://*hacker*/* "403 Proxy access to this host is forbidden." pass http://* </div> <li class="item"> Or as in the following example, only allow access to specific sites. <div class="blockof code">[[alpha.example.com:8080]] pass http://*.org/* pass http://*.digital.com/* pass http://* "403 Proxy access to this host is forbidden." </div> <li class="item"> It is also possible to restrict access via the proxy service to selected hosts on the internal subnet. Here only a range of literal addresses plus a single host in another subnet are allowed access to the service. <div class="blockof code">[[alpha.example.com:8080]] pass http://* "403 Restricted access." ![ho:131.185.250.* ho:131.185.200.10] pass http://* </div> <li class="item"> In the following example POSTing to a particular proxied servers is not allowed (why I can't imagine, but hey, this is an example!) <div class="blockof code">[[alpha.example.com:8080]] pass http://subscribe.sexy.com/* "403 POSTing not allowed." [me:POST] pass http://* </div> <li class="item"> It is possible to redirect proxied requests to other sites. <div class="blockof code">[[alpha.example.com:8080]] redirect http://www.sexy.com/* http://www.disney.com/ pass http://* </div> <li class="item"> A proxy service is just a specialized capability of a general HTTP service. Therefore it is quite in order for the one service to respond to standard HTTP requests as well as proxy-format HTTP requests. To enforce the use of a particular service as proxy-only, add a final rule to a virtual service's mapping restricting non-proxy requests. <div class="blockof code">[[alpha.example.com:8080]] pass http://* pass /* "403 This is a proxy-only service." </div> <li class="item"> This example provides the essentials when supporting <span class="high italic">reverse proxying</span>. Note that mappings may become quite complex when supporting access to resources across multiple internal systems (e.g. access to directory icons). <div class="blockof code">[[main.corporate.server.com:80]] pass /sales/* http://sales.corporate.server.com/* pass /shipping/* http://shipping.corporate.server.com/* pass /support/* http://support.corporate.server.com/* pass * "403 Nothing to access here!" </div> </ol> <div class="note"><a id="7.1.5.0.4.1" href="#"></a> <a id="7.1.5.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> To expedite proxy mapping is it recommended to have a final rule for the proxy virtual service that explicitly <span class="high italic">pass</span>es the request. This would most commonly be a permissive pass as in example 1, could quite easily be an restrictive pass as in example 2, or a combination as in example 6. <hr class="note_hr"> </div> <a id="7.1.5.0.5" href="#"></a> <a id="7.1.5.requestmodification" href="#"></a> <a id="requestmodification" href="#"></a> <h5 class="head"><span class="text">Request Modification</span></h5> <p> Using path mapping rules (see <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). it is possible to remove or specifically set selected proxied request headers. Many headers are critical to server processing but some are informational or otherwise amenable to change. This can be undertaken using the SET mapping rule <span class="high italic">proxy=header=<parameter></span>. <p> For example, to have a proxy service suppress the "Referer:" request header: <div class="blockof code"># WASD_CONFIG_MAP set * proxy=header=referer </div> <p> To modify the "Referer:" request header to a fixed URL: <div class="blockof code">set * proxy=header=referer=https://whatever/ </div> <p> To modify the "User-Agent:" request header to a specific string: <div class="blockof code">set * "proxy=header=user-agent=None of your business!" </div> <a id="7.2" href="#"></a> <a id="7.2.proxycache" href="#"></a> <a id="proxycache" href="#"></a> <h2 class="head"><span class="numb">7.2</span><span class="text">Proxy Cache</span></h2> <a id="7.2.0.0.0.1" href="#"></a> <a id="7.2.proxycacheisobsolete" href="#"></a> <a id="proxycacheisobsolete" href="#"></a> <h6 class="head display0"><span class="text">Proxy Cache is OBSOLETE</span></h6> <p> Caching involves using the local file-system for storage of responses that can be reused when a request for the same URL is made. <div class="note"> <a id="7.2.0.0.1" href="#"></a> <a id="7.2.asofwasdv120cachingisobsolete" href="#"></a> <a id="asofwasdv120cachingisobsolete" href="#"></a> <h5 class="head center"><span class="text">As of WASD v12.0 Caching is OBSOLETE</span></h5> <hr class="note_hr"> <p> With the overwhelming Internet move to encrypted everything, the usefulness of a proxy server local cache for cleartext responses is marginal at best. Related configuration directives are reported obsolete and ignored. <hr class="note_hr"> </div> <a id="7.3" href="#"></a> <a id="7.3.connectserving" href="#"></a> <a id="connectserving" href="#"></a> <h2 class="head"><span class="numb">7.3</span><span class="text">CONNECT Serving</span></h2> <p> The <span class="high italic">connect</span> service provides firewall proxying for any connection-oriented TCP/IP access. Essentially it provides the ability to tunnel any other protocol via a Web proxy server. In the context of Web services it is most commonly used to provide firewall-transparent access for Secure Sockets Layer (SSL) transactions. It is a special case of the more general tunneling provided by WASD, see <a class="link" href="#7.7.tunnelingusingproxy">7.7 Tunneling Using Proxy</a>. <a id="7.3.1" href="#"></a> <a id="7.3.1.enablingconnectserving" href="#"></a> <a id="enablingconnectserving" href="#"></a> <h3 class="head"><span class="numb">7.3.1</span><span class="text">Enabling CONNECT Serving</span></h3> <p> As with proxy serving in general, CONNECT serving may enabled on a per-service basis using the WASD_CONFIG_GLOBAL [service] directive, the WASD_CONFIG_SERVICE configuration file, or even the /SERVICE= qualifier. <p> The actual services providing the CONNECT access (i.e. the host and port) are specified on a per-service basis. This means it is possible to have CONNECT and non-CONNECT services deployed on the one server, as part of a general proxy service or standalone. CONNECT proxying is enabled by appending the <span class="high italic">connect</span> keyword to the particular service specification. The following example shows a non-proxy and proxy services, with and without additional connect processing enabled. <div class="blockof code">[[http://alpha.example.com:80]] [[http://alpha.example.com:8080]] [ServiceProxy] enabled [[http://alpha.example.com:8081]] [ServiceProxyTunnel] connect [[http://alpha.example.com:8082]] [ServiceProxy] enabled [ServiceProxyTunnel] connect </div> <a id="7.3.2" href="#"></a> <a id="7.3.2.controllingconnectserving" href="#"></a> <a id="controllingconnectserving" href="#"></a> <h3 class="head"><span class="numb">7.3.2</span><span class="text">Controlling CONNECT Serving</span></h3> <p> The connect service poses a significant security dilemma when in use in a firewalled environment. Once a CONNECT service connection has been accepted and established it essentially acts as a relay to whatever data is passed through it. Therefore <span class="high bold">any transaction whatsoever</span> can occur via the connect service, which in many environments may be considered undesirable. <p> In the context of the Web and the use of the connect service for proxying SSL transactions it may be well considered to restrict possible connections to the well-known SSL port, 443. This may be done using conditional directives, as in the following example: <div class="blockof code">[[alpha.example.com:8080]] if (request-method:CONNECT) pass *:443 pass * "403 CONNECT only allowed to port 443." endif </div> All of the comments on the use of general and conditional mapping made in <a class="link" href="#7.1.5.controllingproxyserving">7.1.5 Controlling Proxy Serving</a> can also be applied to the connect service. <a id="7.4" href="#"></a> <a id="7.4.socksversion5" href="#"></a> <a id="socksversion5" href="#"></a> <h2 class="head"><span class="numb">7.4</span><span class="text">SOCKS Version 5</span></h2> <p> SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address. <p> WASD SOCKS5 supports only CONNECT TCP/IP and not BIND or UDP-associate. <a id="7.4.0.0.1" href="#"></a> <a id="7.4.enablingsocks5proxy" href="#"></a> <a id="enablingsocks5proxy" href="#"></a> <h5 class="head"><span class="text">Enabling SOCKS5 Proxy</span></h5> <p> A SOCK5 proxy connection must be mapped using the socks5:// pseudo scheme. The following rule allows connection to any host name or address. <div class="blockof code">[[alpha.example.com:8080]] pass socks5://* </div> To selectively allow SOCKS5 access then map to a specific host name or address, and optional port. <div class="blockof code">[[alpha.example.com:8080]] pass socks5://the.host.name pass socks5://134.142.71.8 pass socks5://137.146.74.10:22 </div> <a id="7.5" href="#"></a> <a id="7.5.ftpproxyserving" href="#"></a> <a id="ftpproxyserving" href="#"></a> <h2 class="head"><span class="numb">7.5</span><span class="text">FTP Proxy Serving</span></h2> <p> WASD provides a proxy service for the FTP scheme (prototcol). This provides the facility to list directories on the remote FTP server, download and upload files. <p> The (probable) file system of the FTP server host is determined by examining the results of an FTP PWD command. If it returns a current working directory specification containing a "/" then it assumes it to be Unix(-like), if ":[" then VMS, if a "\" then DOS. (Some DOS-based FTP servers respond with a Unix-like "/" so a second level of file-system determination is undertaken with the first entry of the actual listing.) Anything else is unknown and reported as such. WASD (for the obvious reason) is particularly careful to perform well with FTP servers responding with VMS file specifications. <p> Note that the content-type of the transfer is determined by the way the proxy server interprets the FTP request path's "file" extension. This may or may not correspond with what the remote system might consider the file type to be. The default content-type for unknown file types is "application/octet-stream" (binary). When using the <span class="high italic">alt</span> query string parameters then for any file in a listing the icon provides an alternate content-type. If the file link provides a text document then the icon will provide a binary file. If the link returns a binary file then the icon will return a file with a plain-text content-type. <p> In addition to content-type the FTP mode in which the file transfer occurs can be determined by either of two conditions. It the content-type is "text/.." then the transfer mode will be ASCII (i.e. record carriage-control adjusted between systems). If not text then the file is transfered in Image mode (i.e. a binary, opaque octet-stream). For any given content-type this default behaviour may be adjusted using the [AddType] directive (see <a class="link blank" target="_blank" href="../config/#alphabeticlisting">Alphabetic Listing</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) or the "#!+" MIME.TYPES directive (see <a class="link blank" target="_blank" href="../config/#mimetypes">MIME.TYPES</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <p> Rules required in WASD_CONFIG_MAP for mapping FTP proxy. This is preferably made against the virtual service providing the FTP proxy. The service explicitly must make the icon path used available or it must be available to the proxy service in some other part of the mappings. Also the general requirement for error message URLs applies to FTP proxying (<a class="link" href="#7.proxyerrormessages">‘Proxy Error Messages’ in 7. Proxy Services</a>). <div class="blockof code">[[proxy.host.name:8080] pass http://* http://* pass ftp://* ftp://* pass /*/-/* /wasd_root/runtime/*/* </div> <a id="7.5.1" href="#"></a> <a id="7.5.1.ftpquerystringkeywords" href="#"></a> <a id="ftpquerystringkeywords" href="#"></a> <h3 class="head"><span class="numb">7.5.1</span><span class="text">FTP Query String Keywords</span></h3> <p> Keywords added to an FTP request query string allow the basic FTP action to be somewhat tailored. These case-insensitive keywords can be in the form of a query keys or query form fields and values. This allows considerable flexibility in how they are supplied, allowing easy use from a browser URL field or for inclusion as form fields. <table class="tabl"> <tr class="tabr under"> <th class="tabh">Keyword <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">alt <td class="tabd">Adds alternate access (complementary content-type at the icon) for directory listings. <tr class="tabr"> <td class="tabd">ascii <td class="tabd">Force the file transfer type to be done as ASCII (i.e. with carriage-control conversion between systems with different representations). <tr class="tabr backlight"> <td class="tabd">content <td class="tabd">Explicitly specify the content type for the returned file (e.g. "content:text/plain", or "content=image/gif"). <tr class="tabr"> <td class="tabd">dos <td class="tabd">When generating a directory listing force the interpretation to be DOS. <tr class="tabr backlight"> <td class="tabd">email <td class="tabd">Explicitly specify the <span class="high italic">anonymous</span> access email address (e.g. "email:daniel@wasd.vsm.com.au" or "email=daniel@wasd.vsm.com.au"). <tr class="tabr"> <td class="tabd">image <td class="tabd">Force the file transfer type to be done as an opaque binary stream of octets. <tr class="tabr backlight"> <td class="tabd">list <td class="tabd">Displays the actual directory plain-text listing returned by the remote FTP server. Can be used for problem analysis. <tr class="tabr"> <td class="tabd">login <td class="tabd">Results in the server prompting for a username and password pair that are then used as the login credentials on the remote FTP server. <tr class="tabr backlight"> <td class="tabd">octet <td class="tabd">Force the content-type of the file returned to be specified as "application/octet-stream". <tr class="tabr"> <td class="tabd">text <td class="tabd">Force the content-type of the file returned to be specified as "text/plain". <tr class="tabr backlight"> <td class="tabd">unix <td class="tabd">When generating a directory listing force the interpretation to be Unix. <tr class="tabr"> <td class="tabd">upload <td class="tabd">Causes the server to return a simple file transfer form allowing the upload of a file from the local system to the remote FTP server. <tr class="tabr backlight"> <td class="tabd">vms <td class="tabd">When generating a directory listing force the interpretation to be VMS. </table> <a id="7.5.2" href="#"></a> <a id="7.5.2.quotloginquotkeyword" href="#"></a> <a id="quotloginquotkeyword" href="#"></a> <h3 class="head"><span class="numb">7.5.2</span><span class="text">"login" Keyword</span></h3> <p> The usual mechanism for supplying the username and password for access to a non-anonymous proxied FTP server area is to place it as part of the request line (i.e. "ftp://username:password@the.host.name/path/"). This has the obvious disadvantage that it's there for all and sundry to see. <p> The "login" query string is provided to work around the more obvious of these issues, having the authentication credentials as part of the request URL. When this string is placed in the request query string the FTP proxy requests the browser to prompt for authentication (i.e. returns a 401 status). When request header authentication data is present it uses this as the remote FTP server username and password. Hence the remote username and password never need to appear in plain-text on screen or in server logs. <a id="7.6" href="#"></a> <a id="7.6.gatewayingusingproxy" href="#"></a> <a id="gatewayingusingproxy" href="#"></a> <h2 class="head"><span class="numb">7.6</span><span class="text">Gatewaying Using Proxy</span></h2> <p> WASD is fully capable of mapping non-proxy into proxy requests, with various limitations on effectiveness considering the nature of what is being performed. <p> Gatewaying between request schemes (protocols) <ul class="list simple list0"> <li class="item"> HTTP to HTTP (a gateway <span class="high italic">of sorts</span> - standard proxy) <li class="item"> HTTP TO HTTP-over-SSL (non-secure to secure) <li class="item"> HTTP to FTP <li class="item"> HTTP-over-SSL to HTTP (secure to non-secure) <li class="item"> HTTP-over-SSL to HTTP-over-SSL (secure to secure) <li class="item"> HTTP-over-SSL to FTP </ul> <p> and also gatewaying between IP versions <ul class="list simple list0"> <li class="item"> IPv4 to IPv6 <li class="item"> IPv6 to IPv4 </ul> <p> All can be useful for various reasons. One example might be where a script is required to obtain a resource from a secure server via SSL. The script can either be made SSL-aware, sometimes a not insignificant undertaking, or it can use standard HTTP to the proxy and have that access the required server via SSL. Another example might be accessing an internal HTTP resource from an external browser securely, with SSL being used from the browser to the proxy server, which the accesses the internal HTTP resource on its behalf. <a id="7.6.0.0.1" href="#"></a> <a id="7.6.requestredirect" href="#"></a> <a id="requestredirect" href="#"></a> <h5 class="head"><span class="text">Request Redirect</span></h5> <p> The basic mechanism allowing this gatewaying is "internal" redirection. The <span class="high italic">redirect</span> mapping rule (see <a class="link blank" target="_blank" href="../config/#redirectrule">REDIRECT Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) either returns the new URL to the originating client (requiring it to reinitiate the request) or begins reprocessing the request internally (transparently to the client). It is this latter function that is obviously used for gatewaying. <a id="7.6.1" href="#"></a> <a id="7.6.1.reverseproxy" href="#"></a> <a id="reverseproxy" href="#"></a> <h3 class="head"><span class="numb">7.6.1</span><span class="text">Reverse Proxy</span></h3> <p> The use of WASD proxy serving as a firewall component assumes two configured network interfaces on the system, one of which is connected to the internal network, the other to the external network. (Firewalling could also be accomplished using a single network interface with router blocking external access to all but the server system.) Outgoing (internal to external) proxying is the most common configuration, however a proxy server can also be used to provide controlled external access to selected internal resources. This is sometimes known as <span class="high italic">reverse proxy</span> and is a specific example of WASD's general <span class="high italic">non-proxy to proxy</span> request redirection capability (<a class="link" href="#7.6.gatewayingusingproxy">7.6 Gatewaying Using Proxy</a>). <p> In this configuration the proxy server is contacted by an external browser with a standard HTTP request. Proxy server rules map this request onto a proxy-request format result. For example: <div class="blockof code">redirect /sales/* /http://sales.server.com/*? </div> <p> Note that the trailing question-mark is required to propagate any query string (see <a class="link blank" target="_blank" href="../config/#redirectrule">REDIRECT Rule</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <p> The server recognises the result format and performs a proxy request to a system on the internal network. Note that the mappings required could become quite complex, but it is possible. See example 7 in <a class="link" href="#7.1.5.controllingproxyserving">7.1.5 Controlling Proxy Serving</a>. <a id="7.6.1.0.1" href="#"></a> <a id="7.6.1.redirectionlocationfield" href="#"></a> <a id="redirectionlocationfield" href="#"></a> <h5 class="head"><span class="text">Redirection Location Field</span></h5> <p> If a reverse proxied server returns a redirection response (302) containing a "Location: <span class="high italic">url</span>" field with the host component the same reverse-proxied-to server it can be rewritten to instead contain the proxy server host. If these do not match the rewrite does not occur. Using the redirection example above, the SET mapping rule <span class="high italic">proxy=reverse=location</span> specifies the path that will be prefixed to the path component in the location field URL. Usually this would be the same path used to map the reverse proxy redirect (in this example "/sales/"), though could be any string (presumably detected and processed by some other part of the mapping). <div class="blockof code">set /sales/* proxy=reverse=location=/sales/ redirect /sales/* /http://sales.server.com/*? </div> This could be simplified a little by using a postfix SET rule along with the original redirect. <div class="blockof code">redirect /sales/* /http://sales.server.com/*? proxy=reverse=location=/sales/ </div> <p> If the <span class="high italic">proxy=reverse=location=<string></span> ends in an asterisk the entire 302 location field URL is appended (rather than just the path) resulting in something along the lines of <div class="blockof code">Location: http://proxy.server.com/sales/http://sales.server.com/path/ </div> which once redirected by the client can be subsequently tested for and some action made by the proxy server according to the content (just a bell or whistle ;-). <a id="7.6.1.0.2" href="#"></a> <a id="7.6.1.authorizationverification" href="#"></a> <a id="authorizationverification" href="#"></a> <h5 class="head"><span class="text">Authorization Verification</span></h5> <p> WASD can authorize reverse proxy requests locally (perhaps from the SYSUAF) and rewrite that username into the proxied requests "Authorization: …" field. The proxied-to server can then verify that the request originated from the proxy server and extract and use that username as authenticated. <p> This functionality is described in the <a class="link blank" target="_blank" href="/wasd_root/src/httpd/proxyverify.c">WASD_ROOT:[SRC.HTTPD]PROXYVERIFY.C</a> module. <a id="7.6.2" href="#"></a> <a id="7.6.2.proxyrework" href="#"></a> <a id="proxyrework" href="#"></a> <h3 class="head"><span class="numb">7.6.2</span><span class="text">Proxy Rework</span></h3> <p> The proxy rework facility will modify a target string to a replacement string in the request header (e.g. Host:), the response header (e.g. set-cookie:), and in the response body. Rework will be applied to HTML and CSS responses. <p> These are simple string matches. <p> Proxy rework must be enabled for a service by setting a maximum size for the HTML response body to be reworked, in kB. <div class="blockof code"># WASD_CONFIG_SERVICE [[*.1924]] [ServiceReworkMax] 128 </div> Specific paths must then be SET in WASD_CONFIG_MAP to have proxy requests reworked. <div class="blockof code"># WASD_CONFIG_MAP [[*:1924]] set * proxy=rework=192.168.1.3=192.168.1.2 </div> <div class="note center"><a id="7.6.2.0.0.1" href="#"></a> <a id="7.6.2.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> <span class="high bold">Proxy rework likely needs a lot more work!</span> <hr class="note_hr"> </div> <p> Also consider the <a class="link" href="#7.6.2.proxymungeutility">‘proxyMUNGE Utility’ in 7.6.2 Proxy Rework</a> below. <a id="7.6.2.0.1" href="#"></a> <a id="7.6.2.proxymungeutility" href="#"></a> <a id="proxymungeutility" href="#"></a> <h5 class="head"><span class="text">proxyMUNGE Utility</span></h5> <p> This utility (CGIplus script) can be used to rewrite HTTP response "Location:" fields, "Set-Cookie:" path and domain components and URLs in HTML and CSS content. <p> This functionality is described in the prologue to the code <a class="link blank" target="_blank" href="/wasd_root/src/utils/proxymunge.c">WASD_ROOT:[SRC.UTILS]PROXYMUNGE.C</a> <div class="note"><a id="7.6.2.0.1.1" href="#"></a> <a id="7.6.2.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> The proxyMUNGE Utility handles all response rewriting and so when employing it to perform reverse-proxy processing it is unnecessary to use the <span class="high italic">proxy=reverse=location=<string></span> mapping rule described in <a class="link" href="#7.6.1.redirectionlocationfield">‘Redirection Location Field’ in 7.6.1 Reverse Proxy</a>. <hr class="note_hr"> </div> <a id="7.6.3" href="#"></a> <a id="7.6.3.oneshotproxy" href="#"></a> <a id="oneshotproxy" href="#"></a> <h3 class="head"><span class="numb">7.6.3</span><span class="text">One-Shot Proxy</span></h3> <p> This looks a little like reverse proxy, providing access to a non-local resource via a standard (non-proxy) request. The difference allows the client to determine which remote resource is accessed. This works quite effectively for non-HTML resources (e.g. image, binary files, etc.) but non-self-referential links in HTML documents will generally be inaccessible to the client. This can provide provide scripts access to protocols they do not support, as with HTTP to FTP, HTTP to HTTP-over-SSL, etc. <p> Mappings appropriate to the protocols to be support must be made against the proxy service. Of course mapping rules may also be used to control whom or to what is connected. <div class="blockof code">[[the.proxy.service:port]] # support "one-shot" non-proxy to proxy redirect redirect /http://* http://* redirect /https://* https://* redirect /ftp://* ftp://* # OK to process these (already, or now) proxy format requests pass http://* http://* pass https://* https://* pass ftp://* ftp://* </div> <p> The client may the provide the desired URL as the path of the request to the proxy service. Notice that the scheme provided in the desired URL can be any supported by the service and its mappings. <div class="blockof code">http://the.proxy.service:port/http://the.remote.host/path http://the.proxy.service:port/https://the.remote.host/path http://the.proxy.service:port/ftp://the.remote.host/pub/ </div> <a id="7.6.4" href="#"></a> <a id="7.6.4.dnswildcardproxy" href="#"></a> <a id="dnswildcardproxy" href="#"></a> <h3 class="head"><span class="numb">7.6.4</span><span class="text">DNS Wildcard Proxy</span></h3> <p> This relies on being able to manipulate host record in the DNS or local name resolution database. If a "*.the.proxy.host" DNS (CNAME) record is resolved it allows any host name ending in ".the.proxy.host" to be resolved to the corresponding IP address. Similarly (at least the Compaq TCP/IP Services) the local host database allows an alias like "another.host.name.proxy.host.name" for the proxy host name. Both of these would allow a browser to access "another.host.name.proxy.host.name" with it resolved to the proxy service. The request "Host:" field would contain "another.host.name.proxy.host.name". <p> Using this approach a fully functioning proxy may be implemented for the browser without actually configuring it for proxy access, where returned HTML documents contain links that are always correct with reference to the host used to request them. This allows the client an <span class="high italic">ad hoc</span> proxy for selected requests. For a wildcard (CNAME) record the browser user may enter any host name prepended to the proxy service host name and port and have the request proxied to that host name. Entering the following URL into the browser location field <div class="blockof code">http://the.host.name.the.proxy.service:8080/path </div> would result in a standard HTTP proxy request for "/path" being made to "the.host.name:80". With the URL <div class="blockof code">https://the.host.name.the.proxy.service:8443/path </div> an SSL proxy request. Note that normally the well-known port would be used to connect to (80 for http: and 443 for https:). If the final, period-separated component of the wildcard host name is all digits it is interpreted as a specific port to connect to. The example <div class="blockof code">http://the.host.name.8001.the.proxy.service:8080/path </div> would connect to "the.host.name:8001", and <div class="blockof code">https://the.host.name.8443.the.proxy.service:8443/path </div> to "the.host.name:8443". <div class="note"><a id="7.6.4.0.0.1" href="#"></a> <a id="7.6.4.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> It has been observed that some browsers insist that an all-digit host name element is a port number despite it being prefixed by a period not a colon. These browsers then attempt to contact the host/port directly. This obviously precludes using an all-digit element to indicate a target port number with these browsers. <hr class="note_hr"> </div> <p> This wildcard DNS entry approach is a more fully functional analogue to common proxy behaviour but is slightly less flexible in providing gatewaying between protocols and does require more care in configuration. It also relies on the contents of the request "Host:" field to provide mapping information (which generally is not a problem with modern browsers). The mappings must be performed in two parts, the first to handle the wildcard DNS entry, the second is the fairly standard rule(s) providing access for proxy processing. <div class="blockof code">[[the.proxy.service:port1]] if (host:*.the.proxy.service:port1) redirect * /http://* else pass http://* http://* endif </div> <p> The obvious difference between this and one-shot proxy is the desired host name is provided as part of the URL host, not part of the request path. This allows the browser to correctly resolve HTML links etc. It is less flexible because a different proxy service needs to be provided for each protocol mapping. Therefore, to allow HTTP to HTTP-over-SSL proxy gatewaying another service and mapping would be required. <div class="blockof code">[[the.proxy.service:port2]] if (host:*.the.proxy.service:port2) redirect * /https://* else pass https://* https://* endif </div> <a id="7.6.5" href="#"></a> <a id="7.6.5.originatingssl" href="#"></a> <a id="originatingssl" href="#"></a> <h3 class="head"><span class="numb">7.6.5</span><span class="text">Originating SSL</span></h3> <p> This proxy function allows standard HTTP clients to connect to Secure Sockets Layer (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) services. This is very different to the CONNECT service (<a class="link" href="#7.3.connectserving">7.3 CONNECT Serving</a>), allowing scripts and standard character-cell browsers supporting only HTTP to access secure services. <p> Standard username/password authentication is supported (as are all other standard HTTP request/response interactions). The use of X.509 client certificates (<a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a>) to establish outgoing identity is not currently supported. <a id="7.6.5.0.1" href="#"></a> <a id="7.6.5.enablingssl" href="#"></a> <a id="enablingssl" href="#"></a> <h5 class="head"><span class="text">Enabling SSL</span></h5> <p> Unlike HTTP and FTP proxy it requires the service to be specifically configured using the [ServiceClientSSL] directive. <p> There are a number of Secure Sockets Layer related service parameters that should also be considered (see <a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). Although most have workable defaults unless [ServiceProxyClientSSLverifyCA] and [ServiceProxyClientSSLverifyCAfile] are specifically set the outgoing connection will be established without any checking of the remote server's certificate. This means the host's secure service could be considered unworthy of trust as the credentials have not been established. <div class="blockof code">[[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceClientSSL] enabled </div> <a id="7.7" href="#"></a> <a id="7.7.tunnelingusingproxy" href="#"></a> <a id="tunnelingusingproxy" href="#"></a> <h2 class="head"><span class="numb">7.7</span><span class="text">Tunneling Using Proxy</span></h2> <p> WASD supports the CONNECT method which effectively allows tunneling of raw octets through the proxy server. This facility is most commonly used to allow secure SSL connections to be established with hosts on the 'other side' of the proxy server. This basic mechanism is also used by WASD to provide an extended range of tunneling services. The term <span class="high italic">raw</span> is used here to indicate an 8 bit, bidirectional, asynchronous exchange of octets between two entities, as a protocol family, not necessarily as an application (but can be so). Global proxy serving must be enabled (<a class="link" href="#7.1.1.enablingaproxyservice">7.1.1 Enabling A Proxy Service</a>) and then each service must be configured and mapped according to the desired mode of tunneling. Disabling or setting timeouts appropriately on the mapped service is important if connections are not to be disrupted by general server timeouts on output and non-progress (quiescent connections). <a id="7.7.1" href="#"></a> <a id="7.7.1.serviceproxytunnelconnect" href="#"></a> <a id="serviceproxytunnelconnect" href="#"></a> <h3 class="head"><span class="numb">7.7.1</span><span class="text">[ServiceProxyTunnel] CONNECT</span></h3> <p> A service with this configuration is used as a target for CONNECT proxying (usually SSL through a firewall). The client expects an HTTP success (200) response once the remote connection is established, and HTTP error response if there is a problem, and once established just relays RAW octets through the proxy server (classic CONNECT behaviour). <div class="blockof code"># WASD_CONFIG_SERVICE [[http://*:8080]] [ServiceProxy] enabled [ServiceProxyTunnel] connect </div> <div class="blockof code"># WASD_CONFIG_MAP [[*:8080]] if (request-method:connect) pass *:443 *:443 pass * "403 CONNECT only allowed to port 443." endif </div> <p> This configuration enables CONNECT processing and limits any connect to SSL tunneling (i.e. port 443 on the remote system). <a id="7.7.2" href="#"></a> <a id="7.7.2.serviceproxytunnelraw" href="#"></a> <a id="serviceproxytunnelraw" href="#"></a> <h3 class="head"><span class="numb">7.7.2</span><span class="text">[ServiceProxyTunnel] RAW</span></h3> <p> This allows any raw octet client (e.g. telnet) to connect to the port and by mapping be tunnelled to another host and port to connect to its service (e.g. a telnet service). The usual HTTP responses associated with CONNECT processing are not provided. <div class="blockof code"># WASD_CONFIG_SERVICE [[http://*:10023]] [ServiceProxy] enabled [ServiceProxyTunnel] raw </div> <div class="blockof code"># WASD_CONFIG_MAP [[*:10023]] if (request-method:connect) pass *:0 raw://another.host:23 timeout=none,none,none endif pass "403" </div> <p> Telnet is used in the example above but the principle equally applies to any protocol that uses a raw 8 bit, bidirectional, asynchronous exchange of octets. Another example might be an SMTP service (port 25). <a id="7.7.2.0.1" href="#"></a> <a id="7.7.2.ssltoraw" href="#"></a> <a id="ssltoraw" href="#"></a> <h5 class="head"><span class="text">SSL to RAW</span></h5> <p> Using a tunnel it is possible to put a TLS/SSL (https://) front-end service to an otherwise plaintext-only service (http://). <div class="blockof code"># WASD_CONFIG_SERVICE [[https://tls-host:443]] [ServiceNonSSLRedirect] https://tls.host:443 [ServiceProxy] enabled [ServiceProxyTunnel] raw </div> <div class="blockof code"># WASD_CONFIG_MAP [[*:443]] if (request-method:connect) pass *:0 raw://non-tls.host:80 endif pass "403" </div> <a id="7.7.2.0.2" href="#"></a> <a id="7.7.2.chainingraw" href="#"></a> <a id="chainingraw" href="#"></a> <h5 class="head"><span class="text">Chaining RAW</span></h5> <p> It is possible to have a raw tunnel establish itself through a proxy chain (<a class="link" href="#7.1.4.proxychaining">7.1.4 Proxy Chaining</a>) by transparently generating an intermediate CONNECT request to the up-stream proxy server. Note that not all CONNECT proxy will allow connection to just any specified port. For security reasons it it is quite common to restrict CONNECT to port 443. <div class="blockof code"># WASD_CONFIG_SERVICE [[http://*:10025]] [ServiceProxy] enabled [ServiceProxyTunnel] raw </div> <div class="blockof code"># WASD_CONFIG_MAP [[*:10025]] if (request-method:connect) pass *:0 raw://another.host:25 proxy=chain=proxy.host:8080 endif pass "403" </div> <p> Any error in connecting to the chained proxy, making the request, connecting to the destination, etc. (i.e. any error at all) is not reported. The network connection is just dropped. Use WATCH to establish the cause if necessary. <a id="7.7.3" href="#"></a> <a id="7.7.3.serviceproxytunnelfirewall" href="#"></a> <a id="serviceproxytunnelfirewall" href="#"></a> <h3 class="head"><span class="numb">7.7.3</span><span class="text">[ServiceProxyTunnel] FIREWALL</span></h3> <p> With this configuration a service expects that the first line of text from the client contains a host name (or IP address) and optional port (e.g. "the.host.name" or "the.host.name:23"). This allows a variable destination to be mapped. The usual HTTP responses associated with CONNECT processing are not provided. <div class="blockof code"># WASD_CONFIG_SERVICE [[http://*:10023]] [ServiceProxy] enabled [ServiceProxyTunnel] FIREWALL </div> <div class="blockof code"># WASD_CONFIG_MAP [[*:10023]] if (request-method:connect) pass *:* raw://*:23 timeout=none,none,none pass * raw://*:23 timeout=none,none,none endif pass "403" </div> <p> The pass rules force the supplied domain name (and optional port) to be mapped to the telnet port (23). Of course the mapping rules could allow the supplied port to be mapped into the destination if desired. <a id="7.7.3.0.1" href="#"></a> <a id="7.7.3.chainingfirewall" href="#"></a> <a id="chainingfirewall" href="#"></a> <h5 class="head"><span class="text">Chaining FIREWALL</span></h5> <p> As with [ServiceProxyTunnel] RAW it is possible to chain FIREWALL services to an up-stream proxy server. See <a class="link" href="#7.7.2.chainingraw">‘Chaining RAW’ in 7.7.2 [ServiceProxyTunnel] RAW</a>. <a id="7.7.4" href="#"></a> <a id="7.7.4.encryptedtunnel" href="#"></a> <a id="encryptedtunnel" href="#"></a> <h3 class="head"><span class="numb">7.7.4</span><span class="text">Encrypted Tunnel</span></h3> <p> Up to this point the tunnels have merely been through the proxy server. It is possible to establish and maintain ENCRYPTED TUNNELS between WASD servers. SSL is used for this purpose. This is slightly more complex as both ends of the tunnel need to be configured. <div class="drawing dfont draw indent"> ┌────────────┐ ┌────────────┐<br> <span class="dnoflip">◄</span>──unencrypted──<span class="dhflip">◄</span>│ WASD proxy │<span class="dnoflip">◄</span>──ENCRYPTED──<span class="dhflip">◄</span>│ WASD proxy │<span class="dnoflip">◄</span>──unencrypted──<span class="dhflip">◄</span><br> └────────────┘ └────────────┘<br> </div> <p> This arrangement may be used for any stream-oriented, network protocol between two WASD systems. As it uses standard CONNECT requests (over SSL) it MAY also be possible to be configured between WASD and non-WASD servers. <p> The following example is going to maintain an encrypted tunnel between WASD servers running on systems KLAATU and GORT. It is designed to allow a user on KLAATU to connect to a specified port using a telnet client, and have a telnet session created on GORT, tunnelled between the two systems via an SSL encrypted connection. <p> Source of tunnel: <div class="blockof code"># KLAATU WASD_CONFIG_SERVICE [[http://*:10023]] [ServiceProxy] enabled [ServiceClientSSL] ENABLED [ServiceProxyTunnel] RAW </div> <div class="blockof code"># KLAATU WASD_CONFIG_MAP [[*:10023]] # if the client is on the local subnet if (remote-addr:192.168.0.0/24 && request-method:connect) pass *:0 https://gort.domain:10443 timeout=none,none,none endif pass "403" </div> <p> Destination of tunnel: <div class="blockof code"># GORT WASD_CONFIG_SERVICE [[https://*:10443]] [ServiceProxy] enabled [ServiceProxyTunnel] CONNECT </div> <div class="blockof code"># GORT WASD_CONFIG_MAP [[*:10443]] # limit the connection to a specific host if (remote-addr:192.168.0.10 && request-method:connect) pass *:0 raw://gort.domain:23 timeout=none,none,none endif pass "403" </div> <p> When a client connects to the service provided by port 10023 on system KLAATU the connection is immediately processed using a pseudo CONNECT request header. The service on this port is a proxy allowed to initiate SSL connections (client SSL). This service is mapped to system GORT port 10443, an SSL service that allows the CONNECT method (tunneling). KLAATU's proxy initiates an SSL connection with GORT. When established and the CONNECT request from KLAATU is received, it is mapped via a raw tunnel (8 bit, etc.) to its own system port 23 (the telnet service). Telnet is in use at both ends while encrypted by SSL inbetween! Note the use of network addresses and general fail rules used to control access to this service, as well as the disabling of timers that might otherwise shutdown the tunnel. <a id="7.7.5" href="#"></a> <a id="7.7.5.encryptedtunnelwithauthentication" href="#"></a> <a id="encryptedtunnelwithauthentication" href="#"></a> <h3 class="head"><span class="numb">7.7.5</span><span class="text">Encrypted Tunnel With Authentication</span></h3> <p> This arrangement is essentially a variation on example 4. It provides a cryptographic authentication of the originator (source) of the tunnel. <p> Source of tunnel: <div class="blockof code"># KLAATU WASD_CONFIG_SERVICE [[http://*:10023]] [ServiceProxy] enabled [ServiceClientSSL] enabled [ServiceProxyTunnel] RAW [ServiceClientSSLcert] WASD_ROOT:[LOCAL]HTTPD.PEM </div> <div class="blockof code"># KLAATU WASD_CONFIG_MAP [[*:10023]] # if the client is on the local subnet if (remote-addr:192.168.0.0/24 && request-method:connect) pass *:0 https://gort.domain:10443 timeout=none,none,none endif pass "403" </div> <p> Destination of tunnel: <div class="blockof code"># GORT WASD_CONFIG_SERVICE [[https://*:10443]] [ServiceProxy] enabled [ServiceProxyTunnel] CONNECT [ServiceProxyAuth] PROXY </div> <div class="blockof code"># GORT WASD_CONFIG_MAP [[*:10443]] # we'll be relying on X509 authentication if (request-method:connect) pass *:0 raw://gort.domain:23 timeout=none,none,none endif pass "403" </div> <div class="blockof code"># GORT WASD_CONFIG_AUTH [[*:10443]] [X509] * r+w,param="[VF:OPTIONAL]",~4EAB3CBC735F8C7977EBB41D45737E37 </div> <p> This works by configuring the destination service to insist on proxy authorization. The authorization realm is X509 which causes the destination to demand a certificate from the source (<a class="link" href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a>). The fingerprint of this certificate is checked against the authorization rule before the connection is a allowed to procede. <a id="7.7.6" href="#"></a> <a id="7.7.6.sharedsshtunnel" href="#"></a> <a id="sharedsshtunnel" href="#"></a> <h3 class="head"><span class="numb">7.7.6</span><span class="text">Shared SSH Tunnel</span></h3> <p> The objective of this <span class="high italic">raw</span> tunnel variant (see <a class="link" href="#7.7.2.serviceproxytunnelraw">7.7.2 [ServiceProxyTunnel] RAW</a>) is to allow tunneling of Secure Shell (SSH) via a client site proxy server CONNECT which is usually confined to port 443. Of course most Web servers are configured to provide SSL HTTP on port 443. Sharing of HTTP and SSH on the same port is a little problematic and involves some protocol detection. The following explanation of how it is implemented is so that the reader can understand the requirement for the "timeout quirk". <p> On configured services; WASD <span class="high italic">peeks</span> at the incoming TCP byte stream to see if it's SSH protocol. If it is, the socket is associated with a proxy raw tunneling service and proxy tunneling initiated to a mapped SSH server. However (just to make it interesting) some SSH clients do not initiate their own exchange until after the SSH server, and so <span class="high italic">peeking</span> only works for a subset of clients. Of course this is a Catch-22 of sorts! To provide for these clients; if an input timeout should occur (an SSH client waiting) WASD sets up the tunnel anyway and begins the proxy. The proxied SSH server should then initiate the protocol and the client respond. The directive [ServiceShareSSH] configured to be non-zero both enables this facility for a service and sets the input timeout period (which perhaps should be shorter than the default 30 seconds because such clients will wait that long for any SSH server response). <p> This approach seems to work well-enough in practice, although users need to be aware that some clients will pause (for the duration of the timeout period – the "timeout quirk") during initial connection setup. <div class="blockof code"># WASD_CONFIG_SERVICE [[https://*:443] [ServiceShareSSH] 10 [[http://*:10022]] [ServiceProxy] enabled [ServiceProxyTunnel] raw </div> <div class="blockof code"># WASD_CONFIG_MAP [[*:443] if (request-method:ssh) pass * raw://ssh.server.host:22 \ service=the.proxy.host:10022 \ timeout=none,none,none endif [[*:10022]] pass "403" </div> <p> This example shows an SSL service, the desired SSH service (which can be local or remote) and the internal proxy service that will provide the connection. <a id="7.7.7" href="#"></a> <a id="7.7.7.complexprivatetunneling" href="#"></a> <a id="complexprivatetunneling" href="#"></a> <h3 class="head"><span class="numb">7.7.7</span><span class="text">Complex Private Tunneling</span></h3> <p> When creating <span class="high italic">raw</span> tunnels between WASD servers, and possibly in other circumstances, it is often useful to be able to signal <span class="high italic">tunnel purpose</span> to the remote end. In this way a single destination port can support multiple tunneling purposes simply through mapping rules. An originating end can <span class="high italic">inject</span> an HTTP request line, or full request, into the established tunnel connection, which can then be processed by the usual WASD request mapping, and from that alternate services provided based on the intent signalled by the originating end. <p> This somewhat complex but instructive example illustrates the potential utility and versatility of WASD tunneling. It involves an originating WASD server, a destination (service providing) WASD server, and just to make it interesting an intermediate chained HTTP proxy server (not WASD). The idea is to provide access to various application services not necessarily supported by intermediate HTTP proxies and/or gateways. Four services will be supported by the example; SSH, NNTP IMAP and SMTP. <div class="drawing dfont draw indent"> inside firewall outside<br> <br> ┌────────────┐ ┌─────────────┐ ┌────────────┐<br> <span class="dnoflip">◄</span>──raw──<span class="dhflip">◄</span>│ WASD proxy │<span class="dnoflip">◄</span>──ENCRYPTED──<span class="dhflip">◄</span>│ other proxy │<span class="dnoflip">◄</span>──ENCRYPTED──<span class="dhflip">◄</span>│ WASD proxy │<span class="dnoflip">◄</span>──raw──<span class="dhflip">◄</span><br> └────────────┘ └─────────────┘ └────────────┘<br> <br> wasd.internal.net proxy.internal.net wasd.external.net<br> proxy.external.net<br> <br> SSH───8022──┐ ╎ ╎ ┌────22───SSH<br> SMTP───8025──┼────────────────────────────┤╌╌╌╌┤─────────────────────────────┼────25───SMTP<br> NNTP───8119──┤ ╎╌╌╌╌╎ ├───119───NNTP<br> IMAP───8143──┘ ╎ ╎ └───143───IMAP<br> </div> <a id="7.7.7.0.1" href="#"></a> <a id="7.7.7.internalservices" href="#"></a> <a id="internalservices" href="#"></a> <h5 class="head"><span class="text">Internal Services</span></h5> <p> These are the services assigned on the WASD server on the inside of the proxy/gateway. Note that there is one per application to be tunneled. For simplicity each service port number has been selected to parallel the well-known application port number. Note that <span class="high italic">proxy</span> is enabled on each (allowing them to initiate outgoing connections) and each has <span class="high italic">SSL</span> enabled (further allowing them to initiate encrypted connections). <div class="blockof code"># client SSH [[http://*:8022]] [ServiceProxy] enabled [ServiceProxyTunnel] RAW [ServiceClientSSL] enabled # client SMTP [[http://*:8025]] [ServiceProxy] enabled [ServiceProxyTunnel] RAW [ServiceClientSSL] enabled # client IMAP [[http://*:8143]] [ServiceProxy] enabled [ServiceProxyTunnel] RAW [ServiceClientSSL] enabled # client NNTP [[http://*:8119]] [ServiceProxy] enabled [ServiceProxyTunnel] RAW [ServiceClientSSL] enabled </div> <p> Each client application (i.e. IMAP, SSH) must be configured to connect to its corresponding service port (e.g. IMAP to 8143, SMTP to 8025). <a id="7.7.7.0.2" href="#"></a> <a id="7.7.7.internalmapping" href="#"></a> <a id="internalmapping" href="#"></a> <h5 class="head"><span class="text">Internal Mapping</span></h5> <p> These mappings are made on the WASD server on the inside of the proxy/gateway. The rules essentially initiate an outgoing encrypted (SSL) connection to the host <span class="high italic">wasd.external.net</span> supporting the external WASD proxy server. Each is also configured not to connect directly but to request the chained proxy server <span class="high italic">proxy.internal.net</span> to establish the connection on their behalf. <div class="blockof code">!##### SSH ##### [[*:8022]] pass * https://wasd.external.net:443 notimeout \ proxy=tunnel=request="CONNECT wasd-ssh" \ proxy=chain=proxy.internal.net:8080 !##### SMTP ##### [[*:8025]] pass * https://wasd.external.net:443 \ proxy=tunnel=request="CONNECT external-smtp" \ proxy=chain=proxy.internal.net:8080 !##### NNTP ##### [[*:8119]] pass * https://wasd.external.net:443 \ proxy=tunnel=request="CONNECT external-nntp" \ proxy=chain=proxy.internal.net:8080 !##### IMAP ##### [[*:8143]] pass * https://wasd.external.net:443 \ proxy=tunnel=request="CONNECT external-imap" \ proxy=chain=proxy.internal.net:8080 </div> <p> If the up-stream proxy server successfully connects to <span class="high italic">wasd.external.net</span> port 443 the proxy server allows the byte-stream to be asynchonously and bidirectionally exchanged with the internal WASD server outgoing connection. This internal WASD server has initiated an SSL connection and the external server port 443 expects SSL so they can now both negotiate an SSL-encrypted channel essentially directly with each other. <a id="7.7.7.0.3" href="#"></a> <a id="7.7.7.externalservices" href="#"></a> <a id="externalservices" href="#"></a> <h5 class="head"><span class="text">External Services</span></h5> <p> The external WASD service configuration is very simple, a single SSL port. <div class="blockof code"># general SSL service [[https://wasd.external.net:443]] # outgoing proxy/tunnel service [[http://wasd.external.net:1234]] [ServiceProxy] enabled [ServiceProxyTunnel] raw [ServiceClientSSL] ENABLED </div> <p> Connections to the 443 port are expected to undertake an SSL negotiation to establish an encrypted channel. This includes incoming tunnel connections. The service on port 1234 is required to support the connections outgoing from the external WASD server to the application server ports. <a id="7.7.7.0.4" href="#"></a> <a id="7.7.7.externalmapping" href="#"></a> <a id="externalmapping" href="#"></a> <h5 class="head"><span class="text">External Mapping</span></h5> <p> These mappings are all applied to requests at port 443 on the external WASD server <span class="high italic">wasd.external.net</span>. Each rule checks three request characterstics. First, the request method, "CONNECT". Second, the request URI, varies according to the request. These are the request data injected by the internal WASD server <span class="high italic">wasd.internal.net</span> using the <span class="high italic">set=proxy=tunnel=request=</span> mapping rule on the outgoing connection. Third, the originating host (<span class="high italic">proxy.external.net</span>) address adds an extra filter on from where this facility may be used. The respective <span class="high italic">pass</span> of the matching rule then initiates an outgoing connection to the respective application server's well-known port. A timeout is applied to limit connection times. <div class="blockof code">!# SSH tunneling [[*:443]] if (request-method:CONNECT && \ request-uri:"wasd-ssh" && \ remote-addr:205.3.*) \ pass * raw://wasd.external.net:22 service=*:1234 timeout=noprogress=00:00:50 !# SMTP tunneling [[*:443]] if (request-method:CONNECT && \ request-uri:"external-smtp" && \ remote-addr:205.3.*) \ pass * raw://smtp.isp.net:25 service=*:1234 timeout=noprogress=00:00:50 !# NNTP tunneling [[*:443]] if (request-method:CONNECT && \ request-uri:"external-nntp" && \ remote-addr:205.3.*) \ pass * raw://news.isp.net:119 service=*:1234 timeout=noprogress=00:00:* !# IMAP tunneling [[*:443]] if (request-method:CONNECT && \ request-uri:"external-imap" && \ remote-addr:205.3.*) \ pass * raw://imap.isp.net:143 service=*:1234 timeout=noprogress=00:00:50 !# disable general 1234 service usage [[*:1234]] pass * 403 "Internal use only!" </div> <a id="7.7.7.0.5" href="#"></a> <a id="7.7.7.exampleinaction" href="#"></a> <a id="exampleinaction" href="#"></a> <h5 class="head"><span class="text">Example In Action</span></h5> <p> Now let's look at an actual example usage. Consider the internal user's IMAP application, say Thunderbird, is configured to use an IMAP server at host <span class="high italic">wasd.internal.net</span> port 8143. The internal user activates Thunderbird which then intiates an TCP/IP connection to the configured IMAP server expecting to commence the IMAP application protocol. <p> This connection arrives at <span class="high italic">wasd.internal.net</span> port 8143 which has a WASD <span class="high italic">raw</span> tunnel service listening. The connection is accepted and request processing commences. Mapping rules applied to port 8143 initiate an SSL connection to host <span class="high italic">wasd.external.net</span> which is not directly accessable because of the firewall and must be connected to using the HTTP proxy server <span class="high italic">proxy.internal.net</span> as an intermediary. This is specified in the same mapping rule. The mapping rule also injects an HTTP request header providing request characteristics that can be identified and acted upon by the external server. <p> The internal WASD server initiates a connection to the proxy server <span class="high italic">proxy.internal.net</span> acting as part of the firewall. As it is endeavouring to initiate an SSL connection with the external <span class="high italic">wasd.external.net</span> host this proxy connection uses a CONNECT request specifying <span class="high italic">wasd.external.net</span> port 443. The proxy server establishes a connection with the host <span class="high italic">wasd.external.net</span> at port 443. Once the connection is established it becomes an asynchronous, bidirectional channel between <span class="high italic">wasd.internal.net</span> and <span class="high italic">wasd.external.net</span> with the proxy server as a conduit. <p> The service connection just established is expecting an SSL negotiation in an attempt to establish an encrypted channel. When this negotiation concludes successfully the communications between <span class="high italic">wasd.internal.net</span> and <span class="high italic">wasd.external.net</span> become opaque to all external listeners including <span class="high italic">proxy.internal.net</span>. <p> The encrypted connection now established, the request begins to be processed by the WASD server at <span class="high italic">wasd.external.net</span>. A number of mapping rules apply to port 443. Each rule compares the injected request method and URI until, in this case, the <span class="high italic">external-imap</span> rule matches. This rule specifies that a raw connection be established with the host <span class="high italic">imap.isp.net</span> at port 143 using the proxy-capable port 1234 service. A timeout limits the duration this connection can be held unused. <p> The IMAP application server at <span class="high italic">imap.isp.external</span> port 143 accepts the connection at begins to communicate using the IMAP protocol. <p> There is now a raw (8 bit, asynchronous, bidirectional) connection from the Thunderbird client to <span class="high italic">wasd.internal.net</span>, (encrypted) through to <span class="high italic">proxy.internal.net</span>, (encrypted) through to <span class="high italic">wasd.external.net</span>, and raw to the IMAP server at <span class="high italic">imap.isp.net</span>. This raw connection will be used for communication between Thunderbird and the IMAP server using the IMAP application protocol. <a id="7.7.8" href="#"></a> <a id="7.7.8.tunnellingsource" href="#"></a> <a id="tunnellingsource" href="#"></a> <h3 class="head"><span class="numb">7.7.8</span><span class="text">Tunnelling Source</span></h3> <p> When a tunnel is established into a system the source of that connection (IP host-name/address and port) becomes obscured. By setting the path to the destination port <span class="high italic">proxy=forwarded=for</span> (host name) or <span class="high italic">proxy=forwarded=address</span> (IP address) the external client can be obtained using data contained in the logical name WASD_TUNNEL. <p> Consider tunneling external port 22345 to internal port 22 - Secure Shell. <div class="blockof code"># WASD_CONFIG_SERVICE [[http://*:22345]] [ServiceProxy] enabled [ServiceProxyTunnel] RAW # WASD_CONFIG_MAP [[*:22345]] pass * raw://localhost:22 notimeout </div> <p> To Secure Shell the source host and port would be <span class="high italic">localhost</span> and <span class="high italic">some random port</span>. It can be useful for the login procedure or other service to have the actual client host name (or IP address). Adding the path setting. <div class="blockof code"># WASD_CONFIG_MAP [[*:22345]] pass * raw://localhost:22 notimeout proxy=forwarded=address </div> will result in connection data becoming available in the multivalued logical name WASD_TUNNEL. Index 0 contains internal data, and then the rest (1..127) contain one tunneled connection's details each, in the format <div class="blockof code"><span class="high left italic">internal-host:port></span>=<span class="high left italic">external-host:port></span>=<span class="high left italic">client-host:port></span> </div> For example <div class="blockof code">localhost:46851=www.external.net:22345=mydotcom.org:49201 </div> <p> Obtaining the SSH source port, say from TT_ACCPORNAM data, the original client host and port can be searched for with some trivial DCL code. Adapt to suit local requirements. <div class="blockof code">$ if P1 .eqs. "" then P1 = f$element(1,":",f$getdvi("TT:","TT_ACCPORNAM")) $ value = "" $ local = "" $ service = "" $ client = "" $ index = 1 $ index_loop: $ value = f$trnlnm("WASD_TUNNEL","WASD_TABLE",index) $ if value .eqs. "" then goto end_index_loop $ local = f$element(0,"=",value) $ addr = f$element(0,":",local) $ port = f$element(1,":",local) $ if port .eqs. P1 $ then $ service = f$element(1,"=",value) $ client = f$element(2,"=",value) $ goto end_index_loop $ endif $ index = index + 1 $ goto index_loop $ end_index_loop: $ if f$trnlnm("TT_CLIENT","LNM$PROCESS") .nes. "" - then deassign /process TT_CLIENT $ if client .nes. "" then define /process TT_CLIENT "''client'" </div> <p> The tunnel data remains current for at least one minute and may become unavailable at any time after that. <div class="note"><a id="7.7.8.0.0.1" href="#"></a> <a id="7.7.8.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> The source data only reflects the client that connects to that system's services and so cannot be used across multiple, back-to-back tunnels. <hr class="note_hr"> </div> <a id="7.8" href="#"></a> <a id="7.8.browserproxyconfiguration" href="#"></a> <a id="browserproxyconfiguration" href="#"></a> <h2 class="head"><span class="numb">7.8</span><span class="text">Browser Proxy Configuration</span></h2> <p> The browser needs to be configured to access URLs via the proxy server. This is done using two basic approaches, manual and automatic. <a id="7.8.1" href="#"></a> <a id="7.8.1.manual" href="#"></a> <a id="manual" href="#"></a> <h3 class="head"><span class="numb">7.8.1</span><span class="text">Manual</span></h3> <p> Most browsers allow the configuration for access via a proxy server. This commonly consists of an entry for each of the common Web protocol schemes ("http:", "ftp:", "gopher:", etc.). Supply the configured WASD proxy service host name and port for the HTTP scheme. This is currently the only one available. This would be similar to the following example: <div class="blockof code">http: www.example.com 8080 </div> <p> To exclude local hosts, and other servers that do not require proxy access, there is usually a field that allows a list of hosts and/or domain names for which the browser should not use proxy access. This might be something like: <div class="blockof code">www.example.com,example.com,example.com </div> <a id="7.8.2" href="#"></a> <a id="7.8.2.automatic" href="#"></a> <a id="automatic" href="#"></a> <h3 class="head"><span class="numb">7.8.2</span><span class="text">Automatic</span></h3> <p> A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server (access method) for fetching a given URL. <p class="indent"> <a class="link blank" target="_blank" href="https://en.wikipedia.org/wiki/Proxy_auto-config">https://en.wikipedia.org/wiki/Proxy_auto-config</a> <p> The following is a very simple proxy configuration JavaScript function. This specifies that all URL host names that aren't full qualified, or that are in the "example.com" domain will be connected to directly, with all other being accessed via the specified proxy server. <div class="blockof code">function FindProxyForURL(url,host) { if (isPlainHostName(host) || dnsDomainIs(host, ".example.com")) return "DIRECT"; else return "PROXY www.example.com:8080; DIRECT"; } </div> <p> This JavaScript is contained in a file with a specific, associated MIME file type, "application/x-ns-proxy-autoconfig". For WASD it is recommended the file be placed in WASD_ROOT:[LOCAL] and have a file extension of .PAC (which follows Netscape naming convention). <p> The following WASD_CONFIG_GLOBAL directive would map the file extension to the required MIME type: <div class="blockof code">[AddType] .PAC application/x-ns-proxy-autoconfig - proxy autoconfig </div> <p> This file is commonly made the default document available from the proxy service. The following example shows the HTTP$MAP rules required to do this: <div class="blockof code">[www.example.com:8080] pass http://* http://* pass / /wasd_root/local/proxy.pac pass * </div> <p> All that remains is to provide the browser with the location from which load this <span class="high italic">automatic proxy configuration</span> file. In the case of the above set-up this would be: <div class="blockof code">http://www.example.com:8080/ </div> <p> A template for a proxy auto-configuration file may be found at <a class="link blank" target="_blank" href="/wasd_root/example/proxy_autoconfig.txt">WASD_ROOT:[EXAMPLE]PROXY_AUTOCONFIG.TXT</a> <!-- source:0800_INSTANCES.WASDOC --> <hr class="page"> <a id="8." href="#"></a> <a id="8.instancesandenvironments" href="#"></a> <a id="instancesandenvironments" href="#"></a> <h1 class="head"><span class="numb">8.</span><span class="text">Instances and Environments</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#8.1.serverinstances"><span class="numb">8.1</span><span class="text">Server Instances</span></a> <tr><td><a href="#8.1.1.vmsclusteringcomparison"><span class="numb">8.1.1</span><span class="text">VMS Clustering Comparison</span></a> <tr><td><a href="#8.1.2.considerations"><span class="numb">8.1.2</span><span class="text">Considerations</span></a> <tr><td><a href="#8.1.3.configuration"><span class="numb">8.1.3</span><span class="text">Configuration</span></a> <tr><td><a href="#8.1.4.status"><span class="numb">8.1.4</span><span class="text">Status</span></a> <tr><td><a href="#8.2.serverenvironments"><span class="numb">8.2</span><span class="text">Server Environments</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#7.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#9.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> WASD <span class="high italic">instances</span> and <span class="high italic">environments</span> are two distinct mechanisms for supporting multiple WASD server processes on a single system. <p> Server instances are multiple, cooperating server processes providing the same set of configured resources. <p> Server environments are multiple, independent server processes providing differently configured resources. <a id="8.1" href="#"></a> <a id="8.1.serverinstances" href="#"></a> <a id="serverinstances" href="#"></a> <h2 class="head"><span class="numb">8.1</span><span class="text">Server Instances</span></h2> <p> The term <span class="high italic">instance</span> is used by WASD to describe an autonomous server process. WASD will support multiple server processes running on a single system, alone or in combination with multiple server processes running across a cluster. This is <span class="high under">not</span> the same as supporting multiple virtual servers (see <a class="link blank" target="_blank" href="../config/#virtualservices">Virtual Services</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). When multiple instances are configured on a single system they cooperate to distribute the request load between themselves and share certain essential resources such as accounting and authorization information. <div class="note"> <a id="8.1.0.0.1" href="#"></a> <a id="8.1.warning" href="#"></a> <a id="warning" href="#"></a> <h5 class="head center"><span class="text">WARNING</span></h5> <hr class="note_hr"> Versions earlier than Compaq TCP/IP Services v5.3 and some TCPware v5.<span class="high italic">n</span> (at least) have a problem with socket listen queuing that can cause services to "hang" (should this happen just disable instances and restart the server). Ensure you have the requisite version/ECO/patch installed before activating multiple instances on production systems! <hr class="note_hr"> </div> <a id="8.1.1" href="#"></a> <a id="8.1.1.vmsclusteringcomparison" href="#"></a> <a id="vmsclusteringcomparison" href="#"></a> <h3 class="head"><span class="numb">8.1.1</span><span class="text">VMS Clustering Comparison</span></h3> <p> The approach WASD has used in providing multiple instance serving may be compared in many ways to VMS clustering. <p> A cluster is often described as a loosely-coupled, distributed operating environment where autonomous processors can join, process and leave (even fail) independently, participating in a single management domain and communicating with one another for the purposes of resource sharing and high availability. <p> Similarly WASD instances run in autonomous, detached processes (across one or more systems in a cluster) using a common configuration and management interface, aware of the presence and activity of other instances (via the Distributed Lock Manager and shared memory), sharing processing load and providing rolling restart and automatic "fail-through" as required. <a id="8.1.1.0.1" href="#"></a> <a id="8.1.1.loadsharing" href="#"></a> <a id="loadsharing" href="#"></a> <h5 class="head"><span class="text">Load Sharing</span></h5> <p> On a multi-CPU system there are performance advantages to having processing available for scheduling on each. WASD employs AST (I/O) based processing and was not originally designed to support VMS kernel threading. Benchmarking has shown this to be quite fast and efficient even when compared to a kernel-threaded server (OSU) across 2 CPUs. The advantage of multiple CPUs for a single multi-threaded server also diminishes where a site frequently activates scripts for processing. These of course (potentially) require a CPU each for processing. Where a system has many CPUs (and to a lesser extent with only two and few script activations) WASD's single-process, AST-driven design would scale more poorly. Running multiple WASD instances addresses this. <p> <span class="high bold">Of course load sharing is not the only advantage to multiple instances …</span> <a id="8.1.1.0.2" href="#"></a> <a id="8.1.1.restart" href="#"></a> <a id="restart" href="#"></a> <h5 class="head"><span class="text">Restart</span></h5> <p> When multiple WASD instances are executing on a node and a restart is initiated only one process shuts down at a time. Others remain available for requests until the one restarting is again fully ready to process them itself, at which point the next commences restart. This has been termed a <span class="high italic">rolling restart</span>. Such behaviour allows server reconfiguration on a busy site without even a small loss of availability. <a id="8.1.1.0.3" href="#"></a> <a id="8.1.1.failthrough" href="#"></a> <a id="failthrough" href="#"></a> <h5 class="head"><span class="text">Fail-Through</span></h5> <p> When multiple instances are executing on a node and one of these exits for some reason (resource exhaustion, bugcheck, etc.) the other(s) will continue to process requests. Of course requests in-progress by the particular instance at the time of instance failure are disconnected (this contrasts with the rolling restart behaviour described above). If the former process has actually exited (in contrast to just the image) a new server process will automatically be created after a few seconds. <p> The term <span class="high italic">fail-through</span> is used rather than <span class="high italic">failover</span> because one server does not commence processing as another ceases. All servers are constantly active with those remaining immediately and automatically taking all requests in the absence any one (or more) of them. <a id="8.1.2" href="#"></a> <a id="8.1.2.considerations" href="#"></a> <a id="considerations" href="#"></a> <h3 class="head"><span class="numb">8.1.2</span><span class="text">Considerations</span></h3> <p> Of course "there is no such thing as a free lunch" and supporting multiple instances is no exception to this rule. To coordinate activity between and access to shared resources, multiple instances use low-level mutexes and the VMS Distributed Lock Manager (DLM). This does add some system overhead and a little latency to request processing, however as the benchmarks indicate increases in overall request throughput on a multi-CPU system easily offset these costs. On single CPU systems the advantages of rolling restart and fail-through need to be assessed against the small cost on a per-site basis. It is to be expected many low activity sites will not require multiple instances to be active at all. <p> When managing multiple instances on a single node it is important to consider each process will receive a request in round-robin distribution and that this needs to be considered when debugging scripts, using the Server Administration page and the likes of WATCH, etc. (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>). <a id="8.1.3" href="#"></a> <a id="8.1.3.configuration" href="#"></a> <a id="configuration" href="#"></a> <h3 class="head"><span class="numb">8.1.3</span><span class="text">Configuration</span></h3> <p> If not explicitly configured only one instance is created. The configuration directive [InstanceMax] allows multiple instances to be specified <a class="link blank" target="_blank" href="../config/#globalconfiguration">Global Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). When this is set to an integer that many instances are created and maintained. If set to "CPU" then one instance per system CPU is created. If set to "CPU-<span class="high italic">integer</span>" then one instance for all but one CPU is created, etc. The current limit on instances is eight, although this is somewhat arbitrary. As with all requests, Server Administration page access is automatically shared between instances. There are occasions when consistent access to a single instance is desirable. This is provided via an <span class="high italic">admin service</span> (see <a class="link blank" target="_blank" href="../config/#serviceconfiguration">Service Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <p> When executing, the server process name appends the instance number to the "WASD". Associated scripting processes are named accordingly. This example shows such a system: <div class="blockof code">Pid Process Name State Pri I/O CPU Page flts Pages 21600801 SWAPPER HIB 16 0 0 00:06:53.65 0 0 21600807 CLUSTER_SERVER HIB 12 1879 0 00:01:14.51 91 112 21600808 CONFIGURE HIB 10 30 0 00:00:01.46 47 23 … 21600816 ACME_SERVER HIB 10 71525 0 00:01:28.08 508 713 M 21600818 SMISERVER HIB 9 11197 0 00:00:02.29 158 231 21600819 TP_SERVER HIB 9 1337711 0 00:05:55.78 80 105 … 216421F1 WASD1:80 HIB 5 5365731 0 00:23:12.86 37182 7912 2164523F WASD2:80 HIB 5 5347938 0 00:23:31.41 38983 7831 2162BA5D WASD_WOTSUP HIB 3 2111 0 00:00:00.47 735 518 2164ABCF WASD1:80-651 LEF 6 57884 0 00:00:16.71 3562 3417 2164CBDB WASD2:80-612 LEF 4 19249 0 00:00:04.16 3153 3116 21631BDC WASD2:80-613 LEF 5 18663 0 00:00:07.19 3745 3636 2164BBE6 WASD1:80-658 LEF 5 3009 0 00:00:00.94 2359 2263 … </div> <a id="8.1.4" href="#"></a> <a id="8.1.4.status" href="#"></a> <a id="status" href="#"></a> <h3 class="head"><span class="numb">8.1.4</span><span class="text">Status</span></h3> <p> The instance management infrastructure distributes basic status data to all instances on the node and/or cluster. The intent is to provide an easily comprehended snapshot of multi-instance/multi-node WASD processing status. The data comprises: <ul class="list list0"> <li class="item"> instance name (e.g. "KLAATU::WASD:443") <li class="item"> date/time the instance status was last updated <br> + how long <span class="high italic">ago</span> this was (seconds, minutes, hours, or days) <li class="item"> date/time the instance last started <br> + how long <span class="high italic">ago</span> this was (seconds, minutes, hours, or days) <li class="item"> number of times the instance has started up <li class="item"> date/time the instance last exited <br> + how long <span class="high italic">ago</span> this was (seconds, minutes, hours, or days) <li class="item"> the VMS status at the last exit <li class="item"> instance WASD version (e.g. "11.2.0") <li class="item"> number of requests processed during the preceding minute <li class="item"> number of requests processed during the preceding sixty minutes </ul> <p> The data are constrained to these items due to the need to accomodate it within a 64 byte lock value block for cluster purposes. Single node environments do not utilise the DLM, each instance updating its table entry directly. <p> Each node has a table with an entry for every other instance in that WASD environment. Instance data are updated once every minute so any instance with data older than one minute is no longer behaving correctly. This could be due to some internal error, or that the instance no longer exists (e.g. been stopped, exited or otherwise no longer executing). An entry for an instance that no longer exists is retained indefinitely, or until a /DO=STATUS=PURGE is performed removing all such <span class="high italic">expired</span> entries, or a /DO=STATUS=RESET removing all entries (and allowing those currently executing to repopulate the instance data over the next minute. <p> These status data are accessible via command-line and in-browser reports, intended for larger WASD installations, primarily those operating across multiple nodes in a cluster. With the data being stored in a common, another of those other nodes can provide a per-cluster history even if one or more nodes become completely non-operational. <p> This is an example report on a 132 column terminal display. Due to screen width constraints the date/time omits the year field of the date. <div class="blockof code">$ httpd/do=status Instance Ago Up Ago Count Exit Ago Status Version /Min /Hour ~~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~~~~~~~~ ~~~~ ~~~~~ ~~~~~~~~~~~~~~~ ~~~~ ~~~~~~~~~~ ~~~~~~~ ~~~~ ~~~~~ 1 KLAATU::WASD:80 41s 18-DEC 23:27:57 54m 21 18-DEC 23:27:57 54m %X00000001 11.2.0 2 17 KLAATU::WASD1:80---1d-17-DEC-02:49:21---1d-----5-17-DEC-02:50:03---1d-%X00000001-11.2.0----3-----15 KLAATU::WASD2:80---1d-17-DEC-02:49:25---1d-----5-17-DEC-02:50:07---1d-%X00000001-11.2.0----0-----10 KLAATU::WASD3:80---1d-17-DEC-02:49:29---1d-----6-17-DEC-02:50:11---1d-%X00000001-11.2.0----0------3 as at 19-DEC-2017 00:22:41 </div> <p> This provides an example CLI report showing a single node, where a single instance has been started, changed to a three instance configuration, restarted so that the three instances have begun processing. The configuration has been returned a single instance and then the existing three instances restarted the previous day, resulting in the original single instance returning to processing. That instance was last (re)started some 54 minutes ago (a normal exit status showing) and its status was last updated some 41 seconds ago. Note that the three instances showing white-space struck-through with hyphens are stale, having last been updated 1 day ago. Entries older than three minutes are displayed in this format to differentiate them from current entries. <p> The same report on an 80 column terminal. Note that the overt date/time has been omitted, leaving only the period <span class="high italic">ago</span> the event happened. <div class="blockof code">$ httpd/do=status Instance Ago Up Count Exit Status Version /Min /Hour ~~~~~~~~~~~~~~~~ ~~~~ ~~~~ ~~~~~ ~~~~ ~~~~~~~~~~ ~~~~~~~ ~~~~ ~~~~~ 1 KLAATU::WASD:80 5s 58m 21 58m %X00000001 11.2.0 1 18 KLAATU::WASD1:80---1d---1d-----5---1d-%X00000001-11.2.0----3-----15 KLAATU::WASD2:80---1d---1d-----5---1d-%X00000001-11.2.0----0-----10 KLAATU::WASD3:80---1d---1d-----6---1d-%X00000001-11.2.0----0------3 as at 19-DEC-2017 00:25:05 </div> <p> Where multiple instances exist, or have existed, and the terminal page size is greater than 24 lines, HTTPMON displays an equivalent of the 80 column report at the bottom of the display. <p> Similarly, the Server Admin report (<a class="link" href="#9.serveradministration">9. Server Administration</a>) shows an HTML equivalent of the 80 column report immediately below the control and time panels. <a id="8.1.4.0.1" href="#"></a> <a id="8.1.4.usinginstancestatus" href="#"></a> <a id="usinginstancestatus" href="#"></a> <h5 class="head"><span class="text">Using Instance Status</span></h5> <ul class="list list0"> <li class="item"> The strike-through (hyphens) of an instance line immediately indicates the instance is no longer updating (after 3 minutes). <br> Clear stale entries using $ HTTPD/DO=STATUS=PURGE. <li class="item"> The instance name <span class="high italic">Ago</span> shows how long ago it was last updated. <li class="item"> If the exit <span class="high italic">Ago</span> is more recent than the startup <span class="high italic">Ago</span> the instance has exited but not restarted. <br> The exit <span class="high italic">Status</span> can show a non-normal status (i.e. not %X00000001). <li class="item"> An excessive startup <span class="high italic">Count</span> suggests something amiss. <li class="item"> Per-minute and/or per-hour request counts that seem atypically low while instance status seems otherwise normal suggests a networking issue, perhaps up-stream. </ul> <a id="8.2" href="#"></a> <a id="8.2.serverenvironments" href="#"></a> <a id="serverenvironments" href="#"></a> <h2 class="head"><span class="numb">8.2</span><span class="text">Server Environments</span></h2> <p> WASD server environments allow multiple, distinctly configured environments to execute on a single system. Generally, WASD's unlimited virtual servers and multiple account scripting eliminates the need for multiple execution environments to kludge these requirements. However there may be circumstances that make this desirable; regression and forward-compatibility testing comes to mind. <p> See <a class="link blank" target="_blank" href="../install/#serverenvironments">Server Environments</a> in <a class="link blank" target="_blank" href="../install/#0.">WASD Installation</a> for deltained information on maintaining multiple installations of WASD. <!-- source:0900_ADMIN.WASDOC --> <hr class="page"> <a id="9." href="#"></a> <a id="9.serveradministration" href="#"></a> <a id="serveradministration" href="#"></a> <h1 class="head"><span class="numb">9.</span><span class="text">Server Administration</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#9.1.accessbeforeconfiguration"><span class="numb">9.1</span><span class="text">Access Before Configuration</span></a> <tr><td><a href="#9.2.accessconfiguration"><span class="numb">9.2</span><span class="text">Access Configuration</span></a> <tr><td><a href="#9.3.serverinstances"><span class="numb">9.3</span><span class="text">Server Instances</span></a> <tr><td><a href="#9.4.httpdserverreports"><span class="numb">9.4</span><span class="text">HTTPd Server Reports</span></a> <tr><td><a href="#9.5.httpdserverrevise"><span class="numb">9.5</span><span class="text">HTTPd Server Revise</span></a> <tr><td><a href="#9.6.httpdserveraction"><span class="numb">9.6</span><span class="text">HTTPd Server Action</span></a> <tr><td><a href="#9.7.httpdcommandline"><span class="numb">9.7</span><span class="text">HTTPd Command Line</span></a> <tr><td><a href="#9.7.1.accounting"><span class="numb">9.7.1</span><span class="text">Accounting</span></a> <tr><td><a href="#9.7.2.alignmentfaults"><span class="numb">9.7.2</span><span class="text">Alignment Faults</span></a> <tr><td><a href="#9.7.3.authentication"><span class="numb">9.7.3</span><span class="text">Authentication</span></a> <tr><td><a href="#9.7.4.cache"><span class="numb">9.7.4</span><span class="text">Cache</span></a> <tr><td><a href="#9.7.5.configurationcheck"><span class="numb">9.7.5</span><span class="text">Configuration Check</span></a> <tr><td><a href="#9.7.6.dclscriptingprocesses"><span class="numb">9.7.6</span><span class="text">DCL/Scripting Processes</span></a> <tr><td><a href="#9.7.7.decnetscriptingconnections"><span class="numb">9.7.7</span><span class="text">DECnet Scripting Connections</span></a> <tr><td><a href="#9.7.8.hhelppp"><span class="numb">9.7.8</span><span class="text">Hhelppp!</span></a> <tr><td><a href="#9.7.9.http2connection"><span class="numb">9.7.9</span><span class="text">HTTP/2 Connection</span></a> <tr><td><a href="#9.7.10.instances"><span class="numb">9.7.10</span><span class="text">Instances</span></a> <tr><td><a href="#9.7.11.instancestatus"><span class="numb">9.7.11</span><span class="text">Instance Status</span></a> <tr><td><a href="#9.7.12.logging"><span class="numb">9.7.12</span><span class="text">Logging</span></a> <tr><td><a href="#9.7.13.mapping"><span class="numb">9.7.13</span><span class="text">Mapping</span></a> <tr><td><a href="#9.7.14.networkconnection"><span class="numb">9.7.14</span><span class="text">Network Connection</span></a> <tr><td><a href="#9.7.15.shutdownandrestart"><span class="numb">9.7.15</span><span class="text">Shutdown and Restart</span></a> <tr><td><a href="#9.7.16.securesocketslayer"><span class="numb">9.7.16</span><span class="text">Secure Sockets Layer</span></a> <tr><td><a href="#9.7.17.throttle"><span class="numb">9.7.17</span><span class="text">Throttle</span></a> <tr><td><a href="#9.7.18.websocket"><span class="numb">9.7.18</span><span class="text">WebSocket</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#8.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#10.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> The online Server Administration facility provides a rich collection of functionality, including server control, reports and configuration. Some of these are intended as general administration tools while others provide more detailed information intended for server debugging and development purposes. <p> The administration interface also provides some basic server statistics in the lower right panel; local date/time, internet (UTC) equivalent, client host, connection protocol, and request RTT (the essential network overhead between client and server), up-times for system, server process, server executable, CPU consumed by it, along with current connection and requests-in-progress statistics. Alerts (in red) also can appear in this panel. <a class="imglink" target="_blank" href="./admin.png"><img class="image" src="./admin.png"></a> <p> The value of the WATCH facility <a class="link" href="#10.watchfacility">10. WATCH Facility</a> as a general configuration and problem-solving tool cannot be overstated. <p> All server configuration files, with the exception of the authentication databases, are plain text and may be modified with any prefered editor. However the majority of these can also be administered online through a browser. In addition the <span class="high italic">update</span> facility allows some administration of file system portions of the Web. See <a class="link" href="#12.httpdwebupdate">12. HTTPd Web Update</a>. <p> Access to many portions of the package is constrained by file protections and directory listing access files. See for a method for circumventing these restrictions. <a id="9.1" href="#"></a> <a id="9.1.accessbeforeconfiguration" href="#"></a> <a id="accessbeforeconfiguration" href="#"></a> <h2 class="head"><span class="numb">9.1</span><span class="text">Access Before Configuration</span></h2> <p> It is often a significant advantage for the inexperienced administrator on a new and largely unconfigured installation to be able to gain access to the facilities offered by Server Administration, particularly the WATCH facility (<a class="link" href="#10.watchfacility">10. WATCH Facility</a>). This can be done quite simply by using the authentication skeleton-key (<a class="link" href="#3.12.skeletonkeyauthentication">3.12 Skeleton-Key Authentication</a>). This allows the site administrator to register a username and password from the command-line that can be used to gain access to the server. In addition, the server ensures that requesting an otherwise non-authorized Server Administration facility generates a challenge which invokes a username/password dialog at the browser allowing the user to enter the previously registered username and password and gain access. <a id="9.1.0.0.1" href="#"></a> <a id="9.1.method" href="#"></a> <a id="method" href="#"></a> <h5 class="head"><span class="text">Method</span></h5> <ul class="list"> <li class="item"> Register the skeleton-key username and password. <div class="blockof code">$ HTTPD == "$WASD_EXE:HTTPD_SSL.EXE" $! HTTPD == "$WASD_EXE:HTTPD.EXE" $ HTTPD /DO=AUTH=SKELKEY=<span class="high italic under">username:password</span> </div> <p> Note that the username must begin with an underscore, be at least 6 characters, is delimited by a colon, and that the password must be at least 8 characters. By default this username and password remains valid for 60 minutes. <span class="high bold">Choose strings that are less-than-obvious!</span> <li class="item"> Access the server via a browser and use the server Server Administration facility. <p class="indent"> <a class="link blank" target="_blank" href="/httpd/-/admin/">https://the.host.name:port/httpd/-/admin/</a> <li class="item"> After use the skeleton-key may be explicitly cancelled if desired. <div class="blockof code">$ HTTPD /DO=AUTH=SKELKEY=0 </div> </ul> <a id="9.2" href="#"></a> <a id="9.2.accessconfiguration" href="#"></a> <a id="accessconfiguration" href="#"></a> <h2 class="head"><span class="numb">9.2</span><span class="text">Access Configuration</span></h2> <p> Once established the site should make the Server Administration facility a configured facility of the site. The value of its facilities cannot be overstated. <p> It is also recommended that for production sites the path to these reports be controlled via authentication and authorization, using both host and username restrictions, similar to the following: <div class="blockof code">[WHATEVER-REALM] /httpd/-/admin/* host.ip.addr,~WebMaster,~WhoEverElse,r+w </div> <p> If a full authorization environment is not required but administration via browser is still desired restrict access to browsers executing on the server system itself, using an appropriate SYSUAF-authenticated username. Provision of a VMS account for server administration only is quite feasable, see <a class="link" href="#3.10.6.nilaccessvmsaccounts">3.10.6 Nil-Access VMS Accounts</a>. <div class="blockof code">[VMS] /httpd/-/admin/* #localhost,~<span class="high italic">username</span>,r+w </div> <p> If SSL is in use (<a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) then username/password privacy is inherently secured via the encrypted communications. To restrict server administration functions to this secure environment add the following to the WASD_CONFIG_MAP configuration file: <div class="blockof code">/httpd/-/admin/* "403 Access denied." ![sc:https] </div> <p> When using the <span class="high italic">revise</span> capability of the Server Administration facility it is necessary to comply with all the requirements for Web update of files. This is discussed in general terms in <a class="link" href="#12.httpdwebupdate">12. HTTPd Web Update</a>. Revision of server configuration files requires path permissions allowing write access for the username(s) doing the administration, as well as the required ACL on the target directory (in the following example WASD_ROOT:[LOCAL]). <div class="blockof code">[VMS] /httpd/-/admin/* #localhost,~<span class="high italic">username</span>,r+w /wasd_root/local/* #localhost,~<span class="high italic">username</span>,r+w </div> <p> It is possible to allow general access to the Server Administration facility and reports while restricting the ability to initiate server actions such as a restart! Using the WORLD realm against the path is necessary, for the obvious security reason, the server administration module will not allow itself to be used without an authenticated username, provided as a pseudo-authenticated "WORLD". <div class="blockof code">[VMS] /httpd/-/admin/control/* #localhost,~<span class="high italic">username</span>,r+w [WORLD] /httpd/-/admin/* r </div> <p> When GZIP compression is configured for the server (see <a class="link blank" target="_blank" href="../config/#gzipencoding">GZIP Encoding</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) it is not by default applied to Server Admin reports or other pages. It can be applied, selectively if desired, using mapping rules. For instance, to apply it to all requests not from the local intranet a rule similar to the following can be added before the Server Admin path mapping itself. <div class="blockof code">if (!remote-addr:192.168.0.0/8) set /httpd/-/admin/* response=GZIP=all pass /httpd/-/admin/* /httpd/-/admin/* </div> <p> GZIP content-encoding can never be applied to WATCH reports. <a id="9.3" href="#"></a> <a id="9.3.serverinstances" href="#"></a> <a id="serverinstances" href="#"></a> <h2 class="head"><span class="numb">9.3</span><span class="text">Server Instances</span></h2> <p> With a single instance (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>) access to Server Administration reports, etc. is always serviced by the one server process. If multiple instances are configured then in common with all requests administration requests will be serviced by any one of the associated processes depending on the momentary state of the round-robin distribution. <p> There are many circumstances where it is preferable to access only the one server. This can be accomplished for two differing objectives. <ol class="list"> <li class="item"> To facilitate access to a specific instance's Server Administration page, including instance-specific reports etc. This is provided through the use of an <span class="high italic">administration service</span> port (see <a class="link blank" target="_blank" href="../config/#administrationservices">Administration Services</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) available from the Server Administration page. <li class="item"> The Server Administration page (<a class="link" href="#9.6.controlsection">‘Control Section’ in 9.6 HTTPd Server Action</a>) and the command-line <a class="link" href="#9.7.10.instances">9.7.10 Instances</a>) provides the capability to explicitly set the number of instances supported, overriding any configuration directive. After explicitly setting this, using either means, the server must be restarted. The explicit startup setting remains in effect until it is changed to "max" allowing the WASD_CONFIG_GLOBAL configuration directive [InstanceMax] to once again determine the number of instances required. </ol> <p> The latter approach is particularly useful when performing detailed WATCH activities (<a class="link" href="#10.watchfacility">10. WATCH Facility</a>). <p> When multiple per-node instances are executing the Server Administration pages and reports all include an indication of which process serviced the request. When accessing no instance in particular the process name is presented in parentheses after the page title <div class="blockof code">HTTPd www.example.com:80 Server Administration (HTTPd:80) </div> When a particular instance's administration service port is being used the process name is separated from the page title by a hyphen <div class="blockof code">HTTPd www.example.com:80 Server Administration - HTTPd:80 </div> <p> Multi-instance status (see <a class="link" href="#8.1.4.status">8.1.4 Status</a>) snapshots are available via HTTPDMON, the Server Admin main page and can be reported from the command line using <div class="blockof code">$ HTTPD /DO=STATUS </div> <a id="9.4" href="#"></a> <a id="9.4.httpdserverreports" href="#"></a> <a id="httpdserverreports" href="#"></a> <h2 class="head"><span class="numb">9.4</span><span class="text">HTTPd Server Reports</span></h2> <p> The server provides a number of internally generated reports. Some of these are of general interest. Others are more for evaluating WASD behaviour and performance for development purposes. Appropriate reports have a refresh selector allowing the report to be updated at the selected period. The following list is in the approximate order in which they occur top-to-bottom, left-to-right in the menu layout. <p> It is possible to use this facility standalone, without configuring authorisation (<a class="link" href="#9.1.accessbeforeconfiguration">9.1 Access Before Configuration</a>). <ul class="list"> <li class="item"> <span class="high bold">Statistics – </span> Server process up-time, CPU-time and other resources consumed, number of connections processed, number of requests of each HTTP method, type of processing involved (HTTPd module used), number of bytes processed, etc. <li class="item"> <span class="high bold">Log+ – </span> Display the server process (SYS$OUTPUT) log. The <span class="high italic">plus</span> displays all accessible server process log files for selection. Just click on the <span class="high monosp" style="background-color:yellow;"> + </span> in <span class="highinline monosp _button"> Log<span class="high" style="background-color:yellow;">+ </span></span>. <li class="item"> <span class="high bold">Configuration – </span> A tabular summary of the server's current configuration. This is a convenient method for viewing the information from the WASD_CONFIG_GLOBAL file. <li class="item"> <span class="high bold">Services – </span> A tabular report listing the current services (virtual servers) and the service-specific parameters. <li class="item"> <span class="high bold">Messages – </span> A tabular report of the server's current message database, multiple languages shown if configured that way. <li class="item"> <span class="high bold">Mapping – </span> All loaded mapping rules and any cached USER rule paths. A selector allows rules applying only to one particular virtual server to be displayed. <li class="item"> <span class="high bold">Path Authorization – </span> If authorization is in use (<a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a>) this report lists the paths with associated authorization and access control. <li class="item"> <span class="high bold">User Authentication – </span> List any users that have been authorized since the server was last started, the realm authorized from, the group it applies to (if any), and what the user's capabilities are (allowed HTTP methods). A time-stamp and counters provide additional information. <li class="item"> <span class="high bold">Secure Sockets – </span> The SSL report lists counts of the number of SSL transactions initiated and completed, along with session cache statistics for the currently connected SSL service. It also lists the ciphers available and current session information. Other reports allow the Certificate Authority (CA) database to be view and edited, if available due to X.509 authentication being enabled. <li class="item"> <span class="high bold">AlnFlt – </span> Memory access alignment faults are constantly monitored. This displays the accumulated statistics since the most recent startup. Should always be zero! <li class="item"> <span class="high bold">Cache – </span> Allows monitoring of cache behaviour and performance, as well as the files currently in the cache (see <a class="link blank" target="_blank" href="../config/#cacheconfiguration">Cache Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <li class="item"> <span class="high bold">Cluster – </span> For clustered systems generates a report similar to the <span class="high italic">System Report</span> but with a cluster emphasis. <li class="item"> <span class="high bold">DCL Scripting – </span> Provides some DCL, CGI and CGIplus scripting information. <p> DCL module statistics (same information as displayed in the server statistics report). These are cumulative for the entire life of the system (unless zeroed). <p> Process information shows how many actual processes exist at the time of the report, as indicated by the PID and bolded, non-zero liftime (in minutes). The <span class="high italic">soft-limit</span> specifies how many CGIplus scripts are allowed to continue existing before the least used is deleted and the <span class="high italic">hard-limit</span> show how many processes may actually exist at any one time (the margin allows for process deletion latency). A count of how many times the CGIplus processes have been explicitly purged (button available on this report page). The <span class="high italic">life-time</span> of zombie processes (in minutes, zero implying use of zombies is disabled) and the number that have been purged due to expiry. CGIplus process life-time (in minutes, zero implying indefinite), the number purged due to life-time expiry and the number of CGIplus processes that the server has actually purged (deleted) to maintain the soft-limit margin specified above. <p> Each of the allocated process data structures is listed. There may be zero up to hard-limit items listed here depending on demand for DCL activities and the life of the server. Items with a PID shown indicate an actual process existing. This can be a zombie process or a CGIplus process. If no process is indicated then the other information represents the state the last time the item's associated process completed. Information includes the script (URL-style path) or DCL command, total count of times the item has been used and the last time it was. The zombie count indicates the number of time the same process finished a request and entered the <span class="high italic">zombie</span> state. The CGIplus column indicates it is/was a CGIplus script and shows the total number of times that particular script has been/was used. If the process is currently in use the client information show the client host name. <p> If any processes are associated with any data structure a <span class="high italic">purge</span> button is provided that forces all processes to be deleted. This can be useful if a new script image is compiled and it is required all scripts now use this. If a script is currently processing a request the process deletion occurs when that processing is complete. The purge button <span class="high bold">does not force</span> a process to delete, so a second button <span class="high bold">forces</span> all processes to delete immediately. This can be used to forceably clear errant scripts, etc., but be warned script processing is indiscrimately stopped! <li class="item"> <span class="high bold">DECnet Scripting – </span> DECnet module information shows totals for DECnet scripting usage and the DECnet connection list. <p> This list will grow, up to the specified configuration maximum, as conconurrent scripting demand occurs. Maintained connections are indicated by the bolded, non-zero lifetime (in minutes). When this reaches zero the task is disconnected. The current/last task for that connection is indicated, along with the number of times the connection was reused and a total number of uses for that list item. <p> <span class="high italic">Purge</span> and <span class="high italic">force</span> buttons allow current links to be broken after request completion or forcibly disconnected. <li class="item"> <span class="high bold">HTTP – </span> Reports HTTP/2 and HTTP/1.<span class="high italic">n</span> statistics together as well as providing a list of current HTTP/2 connections with some per-connection data. See <a class="link" href="#5.http2">5. HTTP/2</a> for details. <li class="item"> <span class="high bold">Lock – </span> Lists the names and status of all lock resources used to manage single and multiple instances across single systems or a cluster. This report is more relevant for evaluating and debugging WASD behaviour. <li class="item"> <span class="high bold">Match – </span> To assist with the refinement of string matching patterns (see <a class="link blank" target="_blank" href="../config/#stringmatching">String Matching</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). This report allows the input of target and match strings and allows direct access to the server's wildcard and regular expression matching routines. Successful matches show the matching elements and a substitution field allows resultant strings to be assessed. <li class="item"> <span class="high bold">Memory+ – </span> Provides a report and does an integrity check on each of the Virtual Memory (VM) zones employed by the WASD HTTPd. The <span class="high italic">plus</span> displays all server process memory zones. Just click on the <span class="high monosp" style="background-color:yellow;"> + </span> in <span class="highinline monosp _button"> Memory<span class="high" style="background-color:yellow;">+ </span></span>. <li class="item"> <span class="high bold">Process – </span> Lists all processes on the current system owned by the server account. From this list a process can be selected to have a "SHOW PROCESS /ALL" performed on it, displayed on a report page. <li class="item"> <span class="high bold">Proxy – </span> If proxy serving is enabled a report providing statistics on the various HTTP methods used, network and cache traffic, cache reads and writes, requests not cachable, and host name lookup are provided. This may used to help guage the effectiveness of the cache. <li class="item"> <span class="high bold">Request – </span> Lists in-progress requests (always shows at least your own connection accessing this report :-) Additional buttons after the report allow selection of a report that in addition displays current persistent network connections, requests currently under throttle control, and if enabled a list (history) of the most recent requests (enabled by the configuration parameter [RequestHistory]). Current requests may be selected for <span class="high italic">one-shot</span> WATCH-processing reports from this page (). <p> Two other diagnostic tools are available from the same link. The first, <span class="high italic">WATCH-peek Report</span>, providing a snapshot of the contents selected internal fields and data structures of the request. This is primarily intended as a problem investiagtion and development tool, and will be of limited value without an understanding of server internals. The second accesses the "peek" internals plus a one-shot WATCH-processing report. <p> For servers handling a great quantity of concurrent traffic this can generate a very large report. The <span class="high italic">Supervisor</span> report can also provide a profile of the servers current load. <li class="item"> <span class="high bold">System+ – </span> Shows the system, all users, memory and CPU status as a single report. <a id="9.4.0.0.0.1" href="#"></a> <a id="9.4.serverclisysplus" href="#"></a> <a id="serverclisysplus" href="#"></a> <h6 class="head display0"><span class="text">Server CLI /SYSPLUS</span></h6> <div class="note"> <a id="9.4.0.0.1" href="#"></a> <a id="9.4.systemreportplus" href="#"></a> <a id="systemreportplus" href="#"></a> <h5 class="head center"><span class="text">System Report PLUS</span></h5> <hr class="note_hr"> The standard system report uses a scripting process to present some of this data in familiar formats (using DCL commands). If the system is faltering for some reason (e.g. resource exhaustion) this may not be possible – and just when it might be really useful! It <span class="high bold">may</span> still be possible to gain some insight into system status using the <span class="high monosp">system+</span> report. This uses only internal code and provides significant technical data on system, cluster, device and process status. Just click on the <span class="high monosp" style="background-color:yellow;"> + </span> in <span class="highinline monosp _button"> System<span class="high" style="background-color:yellow;">+ </span></span>. It can also be considered an alternate or supplementary view of the system for those that don't mind, or who thrive on, more technical content. <p> <span class="high bold monosp">$ HTTPD /SYSPLUS </span> can provide the same report data at the command-line for circumstances where the server is unresponsive but an interactive session is available. Requires a 132 character width terminal session. The /SYSPLUS report generator may be used with /OUTPUT=<filename> to capture and store report data. See <a class="link blank" target="_blank" href="../config/#serverimagecommandlineparameters">Server Image Command-Line Parameters</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <hr class="note_hr"> </div> <li class="item"> <span class="high bold">Throttle – </span> This report provides a list of paths with throttle rules mapped against them. It provides the throttle values along with current and history activity counters. <li class="item"> <span class="high bold">WATCH – </span> This report provides an online, real-time, in-browser-window view of request processing on the <span class="high bold">running server</span>. See <a class="link" href="#10.watchfacility">10. WATCH Facility</a> for details. <li class="item"> <span class="high bold">WebDAV – </span> Provides configuration and statistics. <li class="item"> <span class="high bold">WebSocket – </span> Lists in-progress WebSocket requests with connection statistics and the scripting process associated with. <li class="item"> <span class="high bold">Activity – </span> Provide a graphical <span class="high italic">snapshot</span> of server activity of a given period. <p> The statistics are stored in a permanent global section and so carry-over between server restarts. Where multiple instances are executing the data represents an accumulation of all instances' processing. It is enabled by the configuration parameter [ActivityDays]. The Server Administration facility provides several, represented as a period of hours before the present time. Number of requests and bytes sent to the client are represented by a histogram with respective means for each by a line graph. A bar across the column of the request histogram indicates the peak number of concurrent requests during the period. A <span class="high italic">greyed</span> area indicates no data available for that time (i.e. before the latest server startup, or in the future). <p> Server startup and shutdown events are indicated by solid, vertical lines the full height of the graph (see example for a restart event). <ul class="list simple list0"> <li class="item"> startup - green <li class="item"> shutdown - black <li class="item"> restart - grey <li class="item"> error exit - red </ul> <p> Activity data is accumulated on a per-minute basis. This is the maximum granularity of any report. When reports are selected that can display less than this one minute granularity (i.e. with periods greater than four hours) the value shown is the <span class="high bold">peak</span> of the number of minutes sampled for display. This better represents the load on the server than would a mean of those samples. <p> The graph is an image map, various regions of which allow the selection of other reports with different periods or durations. This allows previous periods to be examined at various levels of detail using the graph for navigation. Various sections may have no mapping as appropriate to the current report. <p> For multiple hour reports the upper and lower sections have distinct functions. The middle 50% of the upper section allows the same end time (most commonly the current hour) to be examined over twice the current period, in this case it would be over eight hours. The left 25% allows the previous fours hours to be viewed (if such data exists), and for non-current reports the right 25% allows the next four hours to be viewed. The lower half can be divided into sections representing hours or days depending on the period of the current report. This allows that period to be viewed in greater detail. For single hour reports this section, of course, is not mapped. <p> Remember that the URL of the mapped section will be displayed in the status bar of the browser. As the URL contains time components it is not a difficult task to decipher the URL displayed to see the exact time and period being selected. <a class="imglink" target="_blank" href="./activity.png"><img class="image" src="./activity.png"></a> </ul> <a id="9.5" href="#"></a> <a id="9.5.httpdserverrevise" href="#"></a> <a id="httpdserverrevise" href="#"></a> <h2 class="head"><span class="numb">9.5</span><span class="text">HTTPd Server Revise</span></h2> <p> The server provides a comprehensive configuration revision facility. <ul class="list"> <li class="item"> <span class="high bold">Configuration – </span> A form-driven interface allows the current configuration of the server to be altered online. This configuration may then be saved to the on-disk file and then the server could be restarted using the new parameters. The source of the current configuration can be either the server itself (from its volatile, in-memory parameters) or from the on-disk configuration file. In addition it is possible to directly edit and update the on-disk file. <li class="item"> <span class="high bold">Services – </span> A form-driven interface allows service (virtual server) configuration. It is also possible to directly edit and update the on-disk file. The server must be restarted for service changes to take effect. <li class="item"> <span class="high bold">Messages – </span> A form-driven interface allows the the server messages to be modified. It is also possible to directly edit and update the on-disk file. The server can then be restarted to use the modified database (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>). <li class="item"> <span class="high bold">Mapping – </span> No form-driven interface is currently available for changing the mapping rules. However it is possible to directly edit and update the on-disk file. The mapping rules could then be reloaded, changing the current server rules (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>). <li class="item"> <span class="high bold">Path Authorization – </span> No form-driven interface is currently available for changing the path authorization configuration. However it is possible to directly edit and update the on-disk file. The path authorization directives could the be reloaded, changing the current server authorization (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>). <li class="item"> <span class="high bold">User Authentication – </span> User authentication comprises a number of dialogues that allow the WASD-specific (HTA) authentication databases to be administered. These include: <p> <ul class="list simple list0"> <li class="item"> creating databases <li class="item"> deleting databases <li class="item"> accessing databases for administering usernames <li class="item"> listing usernames within databases <li class="item"> adding usernames <li class="item"> deleting usernames <li class="item"> modifying username permissions and other data <li class="item"> reseting in-server (cached) authentication information </ul> <p> <a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a> covers authentication detail. <li class="item"> <span class="high bold">Site Log – </span> This accesses a plain-text file that could be used to record server or other significant site configuration changes if desired. Two methods of access are provided. <ol class="list list0"> <li class="item"> Site-Log - open the file for editing, placing a date/time/author timestamp at the top <li class="item"> Edit - open the file editing </ol> <p> The file name and/or location may be specified using the logical name WASD_SITELOG. </ul> <a id="9.5.0.0.1" href="#"></a> <a id="9.5.enablingserveraccess" href="#"></a> <a id="enablingserveraccess" href="#"></a> <h5 class="head"><span class="text">Enabling Server Access</span></h5> <p> Many of the server activites listed above require server account write access to the directory in which the configuration files are stored. Where an autononmous scripting account is in use this poses minimal threat to server configuration integrity. <ol class="list"> <li class="item"> Specifically map the /wasd_root/local/ path and mark it as access always requiring authorization (ensure this is one on the first mappings in the file and certainly before any other /wasd_root/ ones). <div class="blockof code"># WASD_CONFIG_MAP pass /wasd_root/local/* auth=all </div> <li class="item"> Add appropriate authorization rules (example from <a class="link blank" target="_blank" href="../config/#authorizationconfigurationbasics">Authorization Configuration (Basics)</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <div class="blockof code"># WASD_CONFIG_AUTH ["Web Admin"=WASD_WEBADMIN=id] /httpd/-/admin/* r+w /wasd_root/local/* r+w </div> <li class="item"> Update access to the directory can be applied using the SECHAN utility (<a class="link" href="#13.12.sechanutility">13.12 SECHAN Utility</a>). <div class="blockof code">$ SECHAN /WRITE WASD_ROOT:[000000]LOCAL.DIR $ SECHAN /WRITE WASD_ROOT:[LOCAL] </div> <li class="item"> Load the new mapping and authorization rules. <div class="blockof code">$ HTTPD /DO=MAP $ HTTPD /DO=AUTH=LOAD </div> </ol> <a id="9.5.0.0.2" href="#"></a> <a id="9.5.alternativeusingprofile" href="#"></a> <a id="alternativeusingprofile" href="#"></a> <h5 class="head"><span class="text">Alternative Using /PROFILE</span></h5> <p> If a site is using SYSUAF authentication and security profiles enabled using the /PROFILE startup qualifier (<a class="link" href="#13.12.sechanutility">13.12 SECHAN Utility</a>) then a more restrictive set up is possible, retaining the default no-access to the [LOCAL] directory. This relies on the administering account(s) having read and write access to the [LOCAL] directory. It is then not necessary to grant that to the server account. It is possible to limit the application of VMS user profiles. This is an example. <div class="blockof code"># WASD_CONFIG_MAP set /wasd_root/local/* profile auth=all set * noprofile </div> <p> To use this approach perform steps 1, 2 and 4 from above, substituting the following for step 3. <div class="blockof code">$ SECHAN /PACKAGE WASD_ROOT:[000000]LOCAL.DIR $ SECHAN /PACKAGE WASD_ROOT:[LOCAL] $ SECHAN /CONTROL WASD_ROOT:[000000]LOCAL.DIR </div> <a id="9.6" href="#"></a> <a id="9.6.httpdserveraction" href="#"></a> <a id="httpdserveraction" href="#"></a> <h2 class="head"><span class="numb">9.6</span><span class="text">HTTPd Server Action</span></h2> <p> The server allows certain run-time actions to be initiated. Many of these functions can also be initiated from the command line, see <a class="link" href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a>. <p> When multiple servers are executing on a single node or within a cluster a JavaScript-driven checkbox appears in the bottom left of the administration menu. <span class="high bold">Checking that box applies any subsequently selected action to all servers!</span> <a id="9.6.0.0.1" href="#"></a> <a id="9.6.controlsection" href="#"></a> <a id="controlsection" href="#"></a> <h5 class="head"><span class="text">Control Section</span></h5> <ul class="list"> <li class="item"> <span class="high bold">Server Restart/restartNOW/restartQuiet/Exit/exitNOW – </span> The difference between restart/exit and restartNOW/exitNOW is the former waits for any current requests to be completed, while the latter does it immediately regardless of any current connections. The restartQuiet variant continues processing until demand drops to zero for more than one second at which point it commences restart. If the browser has JavaScript enabled a cautionary alert requesting confirmation is generated (otherwise there is no confirmation). <li class="item"> <span class="high bold">Logging On/Off/Flush – </span> The WASD_CONFIG_LOG logical must be configured to allow access logging to be enabled and disabled from this menu. <li class="item"> <span class="high bold">Caching On/Off/Purge – </span> Caching may be enabled and disabled in an ad hoc fashion using these controls. When being disabled after being enabled all previous data is retained. If subsequently reenabled that data is then again available for use. This allows convenient assessment of the subject or even object benefits on the cahing. If purged all entries in the cache are removed. <li class="item"> <span class="high bold">Instance Startup – </span> An instance value may be set that overrides the configuration directive [InstanceMax] at next startup. This may be used to change the number of server processes on an ad hoc basis. Reset to "max" to return to configuration control. Note that this can be applied to the current node only or to all servers within a cluster, and that a subsequent restart is required. <li class="item"> <span class="high bold italic">DO= Button and Field – </span> Provides a on-line facility parallel to that provided by the command-line /DO qualifier (<a class="link" href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a>). Any directive available via the command-line can be entered using this interface and applied on a per-node or per-cluster basis. </ul> <a id="9.6.0.0.2" href="#"></a> <a id="9.6.configurationactionsection" href="#"></a> <a id="configurationactionsection" href="#"></a> <h5 class="head"><span class="text">Configuration Action Section</span></h5> <ul class="list"> <li class="item"> <span class="high bold">Statistics Zeroed – </span> All counters are zeroed (except the <span class="high italic">number-of-times-zeroed</span> counter!) <li class="item"> <span class="high bold">Mapping Rules Reload – </span> Reloads the path mapping rules from the on-disk file into the running server, clears the user SYSUAF mapping cache. <p> <span class="high bold">Caution!</span> If changing CGIplus script mapping it is advised to restart the server rather than reload. Some conflict is possible when using new rules while existing CGIplus scripts are executing. <li class="item"> <span class="high bold">Path Authorization Reload – </span> Reloads the path authorization directives from the on-disk file into the running server. <li class="item"> <span class="high bold">User Authentication Cache Purge – </span> For efficiency reasons authenticated user information is cached for a limited period within the running server. All this cached information may be completely purged using this action, forcing subsequent requests to be reauthenticated from the on-disk database. </ul> <a id="9.7" href="#"></a> <a id="9.7.httpdcommandline" href="#"></a> <a id="httpdcommandline" href="#"></a> <h2 class="head"><span class="numb">9.7</span><span class="text">HTTPd Command Line</span></h2> <p> A foreign command for the HTTPD control functionality will need to be assigned in the adminstration users' LOGIN.COM, for example: <div class="blockof code">$ HTTPD == "$WASD_EXE:HTTPD" </div> or (perhaps more likely) <div class="blockof code">$ HTTPD == "$WASD_EXE:HTTPD_SSL" </div> <p> Some control of the executing server is available from the DCL command line on the system on which it is executing. This functionality, <span class="high bold">via the /DO= qualifier</span>, is available to the privileged user. <p> These directives are communicated from the command-line (and Server Administration page analogue - <a class="link" href="#9.6.controlsection">‘Control Section’ in 9.6 HTTPd Server Action</a>) to the per-node or per-cluster servers using the Distributed Lock Manager. On pre-VMS V8.2 the command buffer is limited to 15 bytes. From VMS V8.2 the buffer space available is 63 bytes. In a cluster all systems must support the larger buffer before WASD enables it. The smaller buffer space limits some of the directives that take free-form parameters (e.g. /DO=DCL=PURGE=USER=DANIEL). <a id="9.7.0.0.1" href="#"></a> <a id="9.7.multiserverclusterwide" href="#"></a> <a id="multiserverclusterwide" href="#"></a> <h5 class="head"><span class="text">Multi-Server/Cluster-Wide</span></h5> <p> If multiple servers are executing on a host or cluster it is possible to control all of them by adding the /CLUSTER or /ALL qualifiers. Of course, these commands are available from batch jobs as well as interactively. In a clustered WASD environment the same functionality is available via checkboxes from the online Server Administration facility. <a id="9.7.0.0.2" href="#"></a> <a id="9.7.needittobejogged" href="#"></a> <a id="needittobejogged" href="#"></a> <h5 class="head"><span class="text">Need it to be jogged?</span></h5> <p> Can't quite remember what it can (and by implication can't) do? <div class="blockof code">$ HTTPD /DO=HELP </div> <a id="9.7.0.0.3" href="#"></a> <a id="9.7.serverlogannotation" href="#"></a> <a id="serverlogannotation" href="#"></a> <h5 class="head"><span class="text">Server Log Annotation</span></h5> <p> Significant server events (e.g. restart, exit, mapping rule change) can often benefit (post-mortem :-) from an annotation in the server process log, especially in a production environment. The command-line /NOTE="<string>" can be used to insert the supplied string as an ad hoc annotation, or in conjunction with a /DO=".." CLI command. <div class="blockof code">$ HTTPD /NOTE="just a note test!" $ HTTPD /DO=RESTART /NOTE="adding services ""download."" and ""mail.""" </div> <p> The server process log annotation appear as follows. <div class="blockof code">%HTTPD-I-NOTE, 10-DEC-2017 22:32:30, just a note test! %HTTPD-I-NOTE, 10-DEC-2017 22:33:05, adding services "download." and "mail." </div> <p> Note may also be inserted from the Server Admin main page by using the [/DO=] button and field and prefixing the string with /NOTE= (string delimitting quotation marks are not required). Using the Server Admin page annotation and commands cannot be combined. <a id="9.7.1" href="#"></a> <a id="9.7.1.accounting" href="#"></a> <a id="accounting" href="#"></a> <h3 class="head"><span class="numb">9.7.1</span><span class="text">Accounting</span></h3> <p> Server counters may be zeroed. These counters are those visible from the <span class="high italic">statistics</span> Server Admininstration item and when using the HTTPDMON utility. <div class="blockof code">$ HTTPD /DO=ZERO </div> <p> The HTTPDMON utility displays a status line during startup or server exit on error. For example: <div class="blockof code">KLAATU:: 1 HTTPDMON v2.6.0 AXP Friday, 21-SEP-2018 21:40:54 Process: WASD:80 PID: 00001F9B User: HTTP$SERVER Version: 11.3.0 Up: 6 18:21:20.96 CPU: 0 00:07:25.54 Startup: 55 Exit: %X00000001 8< snip 8< Rx: 1,365,809 (0 err) Tx: 26,965,420 (0 err) (477kB/s) STATUS: %HTTPD-I-STARTUP, 21-SEP-2018 21:40:52, WASD:80 </div> <p> On occasion this can status message become constantly displayed (e.g. command-line misoperation) with <div class="blockof code">$ HTTPD /DO=ZERO=STATUS </div> restoring normal request information. <a id="9.7.2" href="#"></a> <a id="9.7.2.alignmentfaults" href="#"></a> <a id="alignmentfaults" href="#"></a> <h3 class="head"><span class="numb">9.7.2</span><span class="text">Alignment Faults</span></h3> <p> Alignment faults can be a significant performance issue and considerable effort has been invested in completely eliminating them. This was done using a internal reporting tool (primarily intended for the WASD developer) available from the Server Admin interface. Defining the logical name WASD_ALIGN_MAP to be a linker map of the build provides additional information. <div class="blockof code">$ HTTPD /DO=ALIGN=START $ HTTPD /DO=ALIGN=STOP $ HTTPD /DO=ALIGN=ZERO $ HTTPD /DO=ALIGN=FAULT=1 </div> <a id="9.7.3" href="#"></a> <a id="9.7.3.authentication" href="#"></a> <a id="authentication" href="#"></a> <h3 class="head"><span class="numb">9.7.3</span><span class="text">Authentication</span></h3> <p> See <a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a>. <p> The authorization rule file (HTTP$AUTH) may be reloaded using either of these variants. <div class="blockof code">$ HTTPD /DO=AUTH $ HTTPD /DO=AUTH=LOAD </div> <p> The authentication cache may be purged, resulting in re-authentication for all subsequent authorization-controlled accesses. This may be useful when disabling authorization or if a user has been locked-out due to too many invalid password attempts (<a class="link" href="#3.9.authorizationcache">3.9 Authorization Cache</a>). <div class="blockof code">$ HTTPD /DO=AUTH=PURGE </div> <p> A "skeleton-key" username and password may be entered, amongst things allowing access to the Server Administration facility (<a class="link" href="#9.serveradministration">9. Server Administration</a>). <div class="blockof code">$ HTTPD /DO=AUTH=SKELKEY=_<username>:<password>[:<period>] </div> <a id="9.7.4" href="#"></a> <a id="9.7.4.cache" href="#"></a> <a id="cache" href="#"></a> <h3 class="head"><span class="numb">9.7.4</span><span class="text">Cache</span></h3> <p> Server cache control may also be exercised from the Server Administration page (<a class="link" href="#9.serveradministration">9. Server Administration</a>). The file cache (see <a class="link blank" target="_blank" href="../config/#cacheconfiguration">Cache Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) may be enabled, disabled and have the contents purged (declared invalid and reloaded) using <div class="blockof code">$ HTTPD /DO=CACHE=ON $ HTTPD /DO=CACHE=OFF $ HTTPD /DO=CACHE=PURGE </div> <a id="9.7.5" href="#"></a> <a id="9.7.5.configurationcheck" href="#"></a> <a id="configurationcheck" href="#"></a> <h3 class="head"><span class="numb">9.7.5</span><span class="text">Configuration Check</span></h3> <p> Changes to configuration files can be validated at the command-line before reload or restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the <span class="high italic">intent</span> of the rules. <div class="blockof code">$ HTTPD /DO=AUTH=CHECK $ HTTPD /DO=CONFIG=CHECK $ HTTPD /DO=GLOBAL=CHECK $ HTTPD /DO=MAP=CHECK $ HTTPD /DO=MSG=CHECK $ HTTPD /DO=SERVICE=CHECK </div> <p> The <span class="high italic">config</span> check sequentially processes each of the <span class="high italic">authorization</span>, <span class="high italic">global</span>, <span class="high italic">mapping</span>, <span class="high italic">message</span> and <span class="high italic">service</span> configuration files. <p> If additional server startup qualifiers are required to enable specific configuration features then these must also be provided when checking. For example: <div class="blockof code">$ HTTPD /DO=AUTH=CHECK /SYSUAF /PROFILE </div> <a id="9.7.6" href="#"></a> <a id="9.7.6.dclscriptingprocesses" href="#"></a> <a id="dclscriptingprocesses" href="#"></a> <h3 class="head"><span class="numb">9.7.6</span><span class="text">DCL/Scripting Processes</span></h3> <p> These commands can be useful for flushing any currently executing CGIplus applications from the server, enabling a new version to be loaded with the next access. See "Scripting Environment" document. <p> All scripting processes, busy with a request or not, can be deleted (this may cause the client to lose data). <div class="blockof code">$ HTTPD /DO=DCL=DELETE </div> <p> A gentler alternative is to delete idle processes and mark busy ones for deletion when completed processing. <div class="blockof code">$ HTTPD /DO=DCL=PURGE </div> <p> A more selective DELETE and PURGE is possible, where user name, script name, or script file name is supplied and only matching tasks have the specified action peformed. <div class="blockof code">$ HTTPD /DO=DCL=PURGE=USER=<span class="high italic">username</span> $ HTTPD /DO=DCL=PURGE=SCRIPT=<span class="high italic">script-path</span> $ HTTPD /DO=DCL=PURGE=FILE=<span class="high italic">script-file-name</span> </div> <p> When using the proctor facility (<a class="link blank" target="_blank" href="../scripting/#scriptproctor">Script Proctor</a> in <a class="link blank" target="_blank" href="../scripting/#0.">WASD Scripting</a>) revised rules in WASD_CONFIG_GLOBAL may be <span class="high italic">applied</span> to the running server (proctored scripting processes created and deleted), or merely <span class="high italic">loaded</span> into the server ruleset (requiring subsequent DCL=PURGE or DCL=DELETE to activate). <div class="blockof code">$ HTTPD /DO=DCL=PROCTOR=APPLY $ HTTPD /DO=DCL=PROCTOR=LOAD </div> <a id="9.7.7" href="#"></a> <a id="9.7.7.decnetscriptingconnections" href="#"></a> <a id="decnetscriptingconnections" href="#"></a> <h3 class="head"><span class="numb">9.7.7</span><span class="text">DECnet Scripting Connections</span></h3> <p> All DECnet connections, busy with a request or not, can be disconnected (this may cause the client to lose data). <div class="blockof code">$ HTTPD /DO=DECNET=DISCONNECT </div> <p> Purging is a better alternative, disconnecting idle tasks and marking busy ones for disconnection when complete. <div class="blockof code">$ HTTPD /DO=DECNET=PURGE </div> <a id="9.7.8" href="#"></a> <a id="9.7.8.hhelppp" href="#"></a> <a id="hhelppp" href="#"></a> <h3 class="head"><span class="numb">9.7.8</span><span class="text">Hhelppp!</span></h3> <div class="blockof code">$ HTTPD /DO=HELP o ALIGN= START, STOP, ZERO with [<buf-size>,<items>,<mask>] o AUTH reload authorization file o AUTH=CHECK elementary check of authorization file … o ZERO zero all accounting o ZERO=NOTICED zero the 'errors noticed' accounting o ZERO=PROXY zero proxy accounting $ </div> <a id="9.7.9" href="#"></a> <a id="9.7.9.http2connection" href="#"></a> <a id="http2connection" href="#"></a> <h3 class="head"><span class="numb">9.7.9</span><span class="text">HTTP/2 Connection</span></h3> <p> Disconnect idle HTTP/2 connections. <div class="blockof code">$ HTTPD /DO=HTTP2=PURGE </div> <p> All HTTP/2 connections can be disconnected (this may cause clients to lose data), or a specific connection number. <div class="blockof code">$ HTTPD /DO=HTTP2=PURGE=ALL $ HTTPD /DO=HTTP2=PURGE=<span class="high italic">number</span> </div> <a id="9.7.10" href="#"></a> <a id="9.7.10.instances" href="#"></a> <a id="instances" href="#"></a> <h3 class="head"><span class="numb">9.7.10</span><span class="text">Instances</span></h3> <p> The number of server instances (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>) may be set from the command line. This overrides any configuration file directive and applies at the next startup. Any configuration directive value may be used from the command line. <div class="blockof code">$ HTTPD /DO=INSTANCE=MAX $ HTTPD /DO=INSTANCE=CPU $ HTTPD /DO=INSTANCE=<span class="high italic">integer</span> </div> <p> <span class="high bold">Note that the server must be restarted for this to take effect</span>, that this can be applied to the current node only or to all servers within a cluster, and that it remains in effect until explicitly changed to "MAX" allowing the WASD_CONFIG_GLOBAL configuration directive [InstanceMax] to once again determine the number of instances required. The same functionality is available from the Server Administration page (<a class="link" href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a>). <p> There are also directives to assist with WATCH activities (<a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>). <div class="blockof code">$ HTTPD /DO=INSTANCE=PASSIVE $ HTTPD /DO=INSTANCE=ACTIVE </div> <a id="9.7.11" href="#"></a> <a id="9.7.11.instancestatus" href="#"></a> <a id="instancestatus" href="#"></a> <h3 class="head"><span class="numb">9.7.11</span><span class="text">Instance Status</span></h3> <p> Multi-instance (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>) status (see <a class="link" href="#8.1.4.status">8.1.4 Status</a>) can be reported from the command line using <div class="blockof code">$ HTTPD /DO=STATUS </div> <p> In addition, stale entries in the status table may be purged using <div class="blockof code">$ HTTPD /DO=STATUS=PURGE </div> and the table completely emptied then repopulated over the next minute using <div class="blockof code">$ HTTPD /DO=STATUS=RESET </div> <a id="9.7.12" href="#"></a> <a id="9.7.12.logging" href="#"></a> <a id="logging" href="#"></a> <h3 class="head"><span class="numb">9.7.12</span><span class="text">Logging</span></h3> <p> Server logging control may also be exercised from the server administration menu (<a class="link" href="#9.serveradministration">9. Server Administration</a>). <p> Open the access log file(s). <div class="blockof code">$ HTTPD /DO=LOG=OPEN </div> <p> Close the access log file(s). <div class="blockof code">$ HTTPD /DO=LOG=CLOSE </div> <p> Close then reopen the access log file(s). <div class="blockof code">$ HTTPD /DO=LOG=REOPEN </div> <p> Unwritten log records may be flushed to the file(s). <div class="blockof code">$ HTTPD /DO=LOG=FLUSH </div> <a id="9.7.13" href="#"></a> <a id="9.7.13.mapping" href="#"></a> <a id="mapping" href="#"></a> <h3 class="head"><span class="numb">9.7.13</span><span class="text">Mapping</span></h3> <p> See <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request Processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <p> The mapping rule file (WASD_CONFIG_MAP) may be reloaded using either of these variants. <div class="blockof code">$ HTTPD /DO=MAP $ HTTPD /DO=MAP=LOAD </div> <a id="9.7.14" href="#"></a> <a id="9.7.14.networkconnection" href="#"></a> <a id="networkconnection" href="#"></a> <h3 class="head"><span class="numb">9.7.14</span><span class="text">Network Connection</span></h3> <p> Current network connections can be listed at the CLI. <div class="blockof code">$ HTTPD /DO=NET=LIST </div> <p> This can display in an 80 character terminal depending on column widths (e.g. service and client names) but in some circumstances will require 132 characters to use effectively. The CLI command requests the running server to generate a report and return that via the $BRKTHRU service. <p> Note that with HTTP/1.n there is a one-to-one relationship between requests in progress and a network connection, displayed as a single integer, e.g. <span class="high monosp">1651</span>. With HTTP/2 there can be a many to one, where listed "connections" being processed (i.e. requests in progress) are <span class="high italic">virtual</span> connections being transported by an independent actual connection, and displayed as <span class="high monosp">1639->1632</span>, where <span class="high monosp">->1632</span> is the actual connection. <div class="blockof code">Connect Service / Request Client Time Duration ---------- ------------------- ---------- -------- -------- 1651 https:wasd.lan:4443 router.lan 08:05:02 6.636s [persistent:4] 1639->1632 https:wasd.lan:443 router.lan 08:00:52 4.147s GET /httpd/-/admin/report/WATCH?rqp=1&rsp=1&con=1&err=1&htp=i&cl... 1626->1606 https:wasd.lan:443 router.lan 07:59:57 00:10:45 GET /cgi-bin/smonitor?classes=&MODES=2&PROCESSES=3&SYSTEM=1&inte... ->1632 https:wasd.lan:443 router.lan 08:00:36 19.88s current:1 peak:1 count:5 ->1606 https:wasd.lan:443 router.lan 07:25:41 00:35:14 current:1 peak:4 count:13 1 HTTP/1.n, 2 via HTTP/2, 2 HTTP/2, 17-SEP-2021 07:58:17 </div> <p> Disconnect <span class="high italic">idle</span> (persistent HTTP/1.n and HTTP/2) connections. <div class="blockof code">$ HTTPD /DO=NET=PURGE </div> <p> All network connections can be disconnected (this may cause clients to lose data), selectively idle HTTP/1.n or HTTP/2 connections, a specific connection number and those matching the specified URI. <div class="blockof code">$ HTTPD /DO=NET=PURGE=ALL $ HTTPD /DO=NET=PURGE=HTTP1 $ HTTPD /DO=NET=PURGE=HTTP2 $ HTTPD /DO=NET=PURGE=<span class="high italic">number</span> $ HTTPD /DO=NET=PURGE=URI=<span class="high italic">pattern</span> </div> <p> Additionally, network connection acceptance can be suspended (leaving in-progress requests to complete), suspended and in-progress disconnected, and resumed. <div class="blockof code">$ HTTPD /DO=NET=SUSPEND $ HTTPD /DO=NET=SUSPEND=NOW $ HTTPD /DO=NET=RESUME </div> <a id="9.7.15" href="#"></a> <a id="9.7.15.shutdownandrestart" href="#"></a> <a id="shutdownandrestart" href="#"></a> <h3 class="head"><span class="numb">9.7.15</span><span class="text">Shutdown and Restart</span></h3> <p> Server shutdown may also be exercised from the Server Administration page (<a class="link" href="#9.serveradministration">9. Server Administration</a>). <p> The server may be shut down, without loss of existing client requests. Connection acceptance is stopped and any existing requests continue to be processed until conclusion. <div class="blockof code">$ HTTPD /DO=EXIT </div> <p> The server may be immediately and unconditionally shut down. <div class="blockof code">$ HTTPD /DO=EXIT=NOW </div> <p> The server may be restarted, without loss of existing client requests. Connection acceptance is stopped and any existing requests continue to be processed until conclusion. This effectively causes the server to exit normally and the DCL <span class="high italic">wrapper</span> procedure to restart it. <div class="blockof code">$ HTTPD /DO=RESTART </div> <p> The <span class="high italic">now</span> variant restarts the server immediately regardless of existing connections. <div class="blockof code">$ HTTPD /DO=RESTART=NOW </div> <p> The when– <span class="high italic">quiet</span> variant restarts the server whenever request processing drops to zero for more than one second. It allows (perhaps non-urgent) changes to be put into effect through restart when everything has gone "quiet" and no demands are being placed on the server. <div class="blockof code">$ HTTPD /DO=RESTART=QUIET </div> <p> Significant server events such as these are prime candidates for server log annotation! <div class="blockof code">$ HTTPD /DO=RESTART=NOW /NOTE="Restarting the server just so I can note it :-)" </div> <a id="9.7.16" href="#"></a> <a id="9.7.16.securesocketslayer" href="#"></a> <a id="securesocketslayer" href="#"></a> <h3 class="head"><span class="numb">9.7.16</span><span class="text">Secure Sockets Layer</span></h3> <p> If the optional SSL component is installed and configured these directives become effective. <p> If X.509 authentication is enabled the Certificate Authority (CA) verification list can be reloaded. <div class="blockof code">$ HTTPD /DO=SSL=CA=LOAD </div> <p> Server certificates, after being updated, may be reloaded into the running services (i.e. without restart). This is a synonym for /DO=SERVICE=LOAD. <div class="blockof code">$ HTTPD /DO=SSL=CERT=LOAD </div> <p> If a private key password is not included with the encode key it is requested by the server during startup. The following example shows the directive and the resulting prompt. When entered the password is not echoed. <div class="blockof code">$ HTTPD /DO=SSL=KEY=PASSWORD Enter private key password []: </div> <a id="9.7.17" href="#"></a> <a id="9.7.17.throttle" href="#"></a> <a id="throttle" href="#"></a> <h3 class="head"><span class="numb">9.7.17</span><span class="text">Throttle</span></h3> <p> Unconditionally release all queued requests for immediate processing. <div class="blockof code">$ HTTPD /DO=THROTTLE=RELEASE </div> <p> Unconditionally terminate all requests queued waiting for processing. Clients receive a 503 "server too busy" response. <div class="blockof code">$ HTTPD /DO=THROTTLE=TERMINATE </div> <p> For VMS V8.2 and later, a more selective RELEASE and TERMINATE is possible. A user name or script name can be supplied and only matching requests have the specified action peformed. <div class="blockof code">$ HTTPD /DO=THROTTLE=TERMINATE=REMOTE=<span class="high italic">pattern</span> $ HTTPD /DO=THROTTLE=TERMINATE=SCRIPT=<span class="high italic">pattern</span> </div> <a id="9.7.18" href="#"></a> <a id="9.7.18.websocket" href="#"></a> <a id="websocket" href="#"></a> <h3 class="head"><span class="numb">9.7.18</span><span class="text">WebSocket</span></h3> <p> Unconditionally disconnects all WebSocket applications. <div class="blockof code">$ HTTPD /DO=WEBSOCKET=DISCONNECT </div> <p> For VMS V8.2 and later, more selective disconnects are possible. Disconnects WebSocket applications with connection number, with matching script names, and with matching scripting account usernames, respectively. <div class="blockof code">$ HTTPD /DO=WEBSOCKET=DISCONNECT=<span class="high italic">number</span> $ HTTPD /DO=WEBSOCKET=DISCONNECT=SCRIPT=<span class="high italic">pattern</span> $ HTTPD /DO=WEBSOCKET=DISCONNECT=USER=<span class="high italic">pattern</span> </div> <!-- source:1000_WATCH.WASDOC --> <hr class="page"> <a id="10." href="#"></a> <a id="10.watchfacility" href="#"></a> <a id="watchfacility" href="#"></a> <h1 class="head"><span class="numb">10.</span><span class="text">WATCH Facility</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#10.1.serverinstances"><span class="numb">10.1</span><span class="text">Server Instances</span></a> <tr><td><a href="#10.2.eventcategories"><span class="numb">10.2</span><span class="text">Event Categories</span></a> <tr><td><a href="#10.3.requestfiltering"><span class="numb">10.3</span><span class="text">Request Filtering</span></a> <tr><td><a href="#10.4.reportformat"><span class="numb">10.4</span><span class="text">Report Format</span></a> <tr><td><a href="#10.5.usagesuggestions"><span class="numb">10.5</span><span class="text">Usage Suggestions</span></a> <tr><td><a href="#10.6.commandlineuse"><span class="numb">10.6</span><span class="text">Command-Line Use</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#9.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#11.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> The WATCH facility is a powerful adjunct in server administration. From the Server Administration facility (<a class="link" href="#9.serveradministration">9. Server Administration</a>) it provides an <span class="high bold">online, real-time, in-browser-window view of request processing in the running server</span>. The ability to observe live request processing on an ad hoc basis, without changing server configuration or shutting-down/restarting the server process, makes this facility a great configuration and problem resolution tool. It allows (amongst other uses) <ul class="list simple list0"> <li class="item"> assessment of mapping rules <li class="item"> assessment of authorization rules <li class="item"> investigation of request processing problems <li class="item"> observation of script interaction <li class="item"> general observation of server behaviour </ul> <p> A single client per server process can access the WATCH facility at any one time. It can be used in one of two modes. <ul class="list"> <li class="item"> As a <span class="high italic">one-shot</span>, one-off WATCH of a particular request. This is available from the <span class="high italic">Request Report</span> page of the Server Administration facility. In this case the single indicated request is tagged to be WATCHed in all categories (see below) for the duration of the request (or until the client stops WATCHing). <li class="item"> As described in the following chapter the server and all new requests being processed are candidates for being WATCHed. Categories are selected before initiating the WATCH and the report can be generated for a user-specified number of seconds or aborted at any time using the browser's <span class="high italic">stop</span> button. </ul> <p> Options immediately below the duration selector allows the WATCH output to concurrently be included in the server process log. This allows a permanent record (at least as permanent as server logs) to be simply produced. <a id="10.1" href="#"></a> <a id="10.1.serverinstances" href="#"></a> <a id="serverinstances" href="#"></a> <h2 class="head"><span class="numb">10.1</span><span class="text">Server Instances</span></h2> <p> With a single instance (see <a class="link" href="#8.1.serverinstances">8.1 Server Instances</a>) access to WATCH is always through the one server process. If multiple instances are configured WATCH requests, in common with all others, will be serviced by any one of the associated processes depending on the momentary state of the round-robin distribution. <p> This is often an issue for request WATCHing. The simplest scenario involves two instances. When the WATCH report is activated it will be serviced by the first process, when the request wishing to be WATCHed is accessed it (in the absence of any other server activity) will be serviced by the other process and will not be reported by WATCH on the first. <p> The solution is to suspend the round-robin request processing for the period of the WATCH activity. This does not shut any instance down but instead makes all but the supervisor instance quiescent. (Technically, it dequeues all the listening I/Os from non-supervisor instance server sockets, making the TCP/IP network driver send all connection requests to the one instance left with listening I/Os.) It is just a matter of making the non-supervisor instances active again when the WATCH activity is concluded. <p> This may be done from the command-line using <div class="blockof code">$ HTTPD /DO=INSTANCE=PASSIVE $ HTTPD /DO=INSTANCE=ACTIVE </div> or using the Server Administration facility () where there are [Active] and [Passive] buttons available when multiple instances are in use. Neither transition disrupts any requests being established or in-progress. <a id="10.2" href="#"></a> <a id="10.2.eventcategories" href="#"></a> <a id="eventcategories" href="#"></a> <h2 class="head"><span class="numb">10.2</span><span class="text">Event Categories</span></h2> <p> An <span class="high italic">event</span> is considered any significant point for which the server code has a reporting call provided. These have been selected to provide maximum information with minimum clutter and impact on server performance. Obvious examples are connection acceptance and closure, request path resolution, error report generation, network reads and writes, etc. Events are collected together into groupings to allow clearly defined areas of interest to be selected for reporting. <a class="imglink" target="_blank" href="./watch.png"><img class="image" src="./watch.png"></a> <p> The report menu provides for the inclusion of any combination of the following categories. <a id="10.2.0.0.1" href="#"></a> <a id="10.2.request" href="#"></a> <a id="request" href="#"></a> <h5 class="head"><span class="text">Request</span></h5> <ul class="list"> <li class="item"> <span class="high bold">Processing – </span> Each major step in a request's progress. For example, path resolution and final response status. <li class="item"> <span class="high bold">Header – </span> Provides the HTTP request header as a section of blank-line terminated text. <li class="item"> <span class="high bold">Body – </span> The content (if a POST or PUT method) of the request. This is provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. </ul> <a id="10.2.0.0.2" href="#"></a> <a id="10.2.response" href="#"></a> <a id="response" href="#"></a> <h5 class="head"><span class="text">Response</span></h5> <ul class="list"> <li class="item"> <span class="high bold">Processing – </span> Each major step in generating a response to the request. These generally reflect calls to a major server module such as file CACHE, FILE access, INDEX-OF, SSI processing, etc. One or more of these events may occur for each request. For instance a directory listing will show an INDEX-OF call and then usually a FILE call as any read-me file is accessed. <li class="item"> <span class="high bold">Header – </span> The blank-line terminated HTTP header to the response. Only server-generated headers are included. Scripts that provide a full HTTP stream do not have the header explicitly reported. The response body category must be enabled to observe these (indicated by a STREAM notation). <li class="item"> <span class="high bold">Body – </span> The content of the response. This is provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. Some requests also generate very large responses which will clutter output. Generally this category would be used when investigating specific request response body problems. </ul> <a id="10.2.0.0.3" href="#"></a> <a id="10.2.general" href="#"></a> <a id="general" href="#"></a> <h5 class="head"><span class="text">General</span></h5> <ul class="list"> <li class="item"> <span class="high bold">Connection – </span> Each TCP/IP connection acceptance and closure. The connect shows which service the request is using (scheme, host name and port). <li class="item"> <span class="high bold">Path Mapping – </span> This, along with the authorization report, provides one of the most useful aspects of the WATCH facility. It comprises an event line indicating the path to be mapped (it can also show a VMS file specification if a <span class="high italic">reverse-mapping</span> has been requested). Then as each rule is processed a summary showing current path, match "Y"/"N" for each path template and any conditional, then the result and conditional. Finally an event entry shows the resulting path, VMS file specification, any script name and specification resolved. The path mapping category allows the administrator to directly assess mapping rule processing with live or generated traffic. <li class="item"> <span class="high bold">Authorization – </span> When authorization is deployed this category shows the rules examined to determine if a path is controlled, any authentication events in assessing username and password, and the consequent group, user and request capabilities (read and/or write) for that path. No password information is displayed. <li class="item"> <span class="high bold">Error – </span> The essential elements of a request error report are displayed. This may include a VMS status value and associated system message. <li class="item"> <span class="high bold">CGI – </span> This category displays the generated CGI variable names and values as used by various forms of scripting and by SSI documents, as well as the processing of the response header returned by scripts. <li class="item"> <span class="high bold">DCL – </span> Debugging scripts can sometimes present particular difficulties. This category may help. It reports on all input/output streams with the process (SYS$INPUT, SYS$OUTPUT, SYS$COMMAND, CGIPLUSIN). <li class="item"> <span class="high bold">DECnet – </span> For the same reason as above this category reports all DECnet scripting input/output of the DECnet link. In particular, it allows the observation of the OSU scripting protocol. <li class="item"> <span class="high bold">WebDAV – </span> Provides WebDAV specific processing points including request and meta-data XML associated with resources. </ul> <a id="10.2.0.0.4" href="#"></a> <a id="10.2.network" href="#"></a> <a id="network" href="#"></a> <h5 class="head"><span class="text">Network</span></h5> <ul class="list"> <li class="item"> <span class="high bold">Activity – </span> For each raw network read and write the VMS status code and size of the I/O is recorded. <li class="item"> <span class="high bold">Data – </span> For each raw network read or write the contents are provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. <li class="item"> <span class="high bold">HTTP/2 – </span> Provides a detailed overview of the underlying HTTP/2 framing and connection management exchanges between client and server. See <a class="link" href="#5.1.http2andwatch">‘HTTP/2 and WATCH’ in 5.1 WASD HTTP/2</a> for further detail. </ul> <a id="10.2.0.0.5" href="#"></a> <a id="10.2.other" href="#"></a> <a id="other" href="#"></a> <h5 class="head"><span class="text">Other</span></h5> <ul class="list"> <li class="item"> <span class="high bold">Logging – </span> Access logging events include log open, close and flush, as well as request entries. <li class="item"> <span class="high bold">Match – </span> Shows a significant level of detail during string matching activities. May be useful during mapping, authorization and conditional processing. <li class="item"> <span class="high bold">Script – </span> Sets CGI variable WATCH_SCRIPT allowing a script to explicitly detect this so as to output specific debugging or other information when being WATCHed. <li class="item"> <span class="high bold">SSL – </span> If the Secure Sockets Layer image is in use this category provides a indication of high-level activity. <li class="item"> <span class="high bold">Internal – </span> Includes information on other significant internal server processing. Examples are dictionary entries at various stages of request processing, and the high-level timing and timeout events occuring within that processing and the server in general. </ul> <a id="10.2.0.0.6" href="#"></a> <a id="10.2.proxy" href="#"></a> <a id="proxy" href="#"></a> <h5 class="head"><span class="text">Proxy</span></h5> <ul class="list"> <li class="item"> <span class="high bold">Processing – </span> Each major step during the serving of a proxied request. <li class="item"> <span class="high bold">Request Header – </span> The proxy server rebuilds the request originally received from the client. This category shows that rebuilt request, the one that is sent to the remote server. <li class="item"> <span class="high bold">Request Body – </span> In the case of HTTP POST or PUT methods any request body is displayed. This is provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. <li class="item"> <span class="high bold">Response Header – </span> The blank-line terminated HTTP header to the response from the remote, proxied server. <li class="item"> <span class="high bold">Response Body – </span> The content of the response sent from the remote server. This is provided as a hexadecimal dump on the left and with printable characters rendered on the right, 32 bytes per line. <li class="item"> <span class="high bold">Rework – </span> When reworking (see <a class="link" href="#7.6.2.proxyrework">7.6.2 Proxy Rework</a>) the string matching and substitution is displayed. </ul> <a id="10.2.0.0.7" href="#"></a> <a id="10.2.codemodules" href="#"></a> <a id="codemodules" href="#"></a> <h5 class="head"><span class="text">Code Modules</span></h5> <p> If the server has been compiled using the WATCH_MOD=1 macro a set of module WATCHing statements is included. These provide far more detailed processing information than available with the generic WATCH, are intended primarily for debugging the server during development and testing. This is considered a specialized tool, with the quantity and level of detail produced most likely proving counter-productive in addressing general site configuration issues. The module items are shown below the usual WATCH items. <a id="10.3" href="#"></a> <a id="10.3.requestfiltering" href="#"></a> <a id="requestfiltering" href="#"></a> <h2 class="head"><span class="numb">10.3</span><span class="text">Request Filtering</span></h2> <p> By default all requests to all services are WATCHed. Fine control may be exercised over exactly which requests are reported, allowing only a selected portion of all requests being processed to be concentrated on, even on a live and busy server. This is done by <span class="high italic">filtering</span> requests according the following criteria. <ul class="list"> <li class="item"> <span class="high bold">Protocol – </span> The HTTP protocol being used to transport the request. Multiple protocols may be selected and concurrently filtered against. <li class="item"> <span class="high bold">Client – </span> The originating host name or address. Unless server DNS host name resolution is enabled this must be expressed in dotted-decimal notation. The <span class="high nowrap"> " <input type="checkbox" id="checkbox1" name="checkbox1"><label for="checkbox1">moi</label> "</span> checkbox filters on the WATCHing party's host address. <li class="item"> <span class="high bold">Service – </span> The service connected to. This includes the <span class="high italic">scheme</span> of the service (i.e. "http:", "https:"), the host name (real or virtual), and the port. The host name is the <span class="high italic">official</span> name of the service as reported during server startup. As the port number is a essential part of the service specification it must always be explicitly supplied or wildcarded. <li class="item"> <span class="high bold">Request – </span> This filter operates on the entire HTTP request header. All fields supplied with the request are available to be filtered against. As this is a large, multi-line dataset filters can become quite complex and regular expression (see <a class="link blank" target="_blank" href="../config/#stringmatching">String Matching</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>) matching may be useful (see examples below). <li class="item"> <span class="high bold">URI – </span> This is the string provided by the client and specifying the requested resource. It includes the resource path along with any query string. It can contain URL-encoded (sometimes referred to as percent-encoded) characters. Some characters have alternate encodings, such as the space, as + or %20. <li class="item"> <span class="high bold">Realm & User – </span> This filters against request authentication information. As authorization occurs relatively late in request processing some data reported earlier by WATCH will not be available. <li class="item"> <span class="high bold">HTTP Status – </span> This allows a class of response status (1 (informational), 2 (success), 3 (redirection), 4 (client error) and 5 (server error)) or a specific response status (e.g. 200 (success), 404 (not found), 503 (service unavailable), etc.) to be filtered into the WATCH report. As this happens very late in request processing the number of reported events are limited but may provide some insight into particular processing problems. </ul> <p> In addition there are <span class="high bold"><span class="high italic">in</span> and <span class="high italic">out</span> selectors</span> against each of the filters which include or exclude the particular request based on it matching the filter. <p> These filters are controlled using fully-specified, wildcarded strings or using regular expression patterns (see <a class="link blank" target="_blank" href="../config/#requestprocessingconfiguration">Request processing Configuration</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). In common with all WASD processing, filter matching is case-insensitive. Of course, due to the point of application of a particular filter during request processing, some information may or may not be displayed. When a request is into or out of the report because of a matching filter a FILTER informational item is reported. <a id="10.3.0.0.1" href="#"></a> <a id="10.3.examples" href="#"></a> <a id="examples" href="#"></a> <h5 class="head"><span class="text">Examples</span></h5> <ol class="list"> <li class="item"> This first example shows various strings and patterns that could be applied to the client filter. <div class="blockof code">alpha.example.com *.example.com 131.185.250.202 131.185.250.* ^10.68.250.*|10.68.251.* </div> <li class="item"> This example various filters applied to the service (virtual server). <div class="blockof code">beta.example.com:8000 beta.example.com:* http://* https:* *:80 </div> <li class="item"> The request filter contains the entire HTTP request header. This includes multiple, newline-delimited fields. Filtering can be simple or quite complex. These examples filter all POST requests (either in or out of the report depending on the respective selector), and all POSTs to the specified script respectively. <div class="blockof code">POST * POST /cgi-bin/example* </div> <p> These are the equivalent regular expressions but also will stop comparing at the end of the initial request line. The second, in this case, will also only filter against HTTP/1.1 version requests (note the final period matching the <CR> of the <CR><LF> carriage control). <div class="blockof code">^^POST .*$ ^^POST */cgi-bin/example *HTTP/1\.1.$ </div> <p> This example uses a regular expression to constrain the match to a single header field (line, or newline-delimited string), matching all requests where the user agent reports using the "Gecko" browser component (Mozilla, Firefox, etc.) <div class="blockof code">^^User-agent:.*Gecko.*$ </div> <li class="item"> The path and track filter. The path contains a proxied origin server request and so can be used to filter proxy requests to specific sites. <div class="blockof code">/wasd_root/src/* /cgi-bin/* /web/*/cyrillic/* $ORoKJAOef8sAAAkuACc http://proxied.host.name/* </div> <li class="item"> The authentication filters, realm and user, can be used to select requests for a particular authenticated user, all authenticated requests or all non-authenticated requests, amongst other application. The realm field allows the authenticated user to be further narrowed as necessary. All of the following examples show only the user field with the default <span class="high italic">in</span> selector set. <p> Authenticated requests for user DANIEL. <div class="blockof code">DANIEL </div> <p> All authenticated requests. <div class="blockof code">%* </div> </ol> <a id="10.4" href="#"></a> <a id="10.4.reportformat" href="#"></a> <a id="reportformat" href="#"></a> <h2 class="head"><span class="numb">10.4</span><span class="text">Report Format</span></h2> <p> The following example illustrates the format of the WATCH report. It begins with multi-line heading. The first two record the date, time and official server name, with underline. The third provides the WASD server version. The fourth provides some TCP/IP agent information. Lines following can show OpenSSL version (if deployed), system information, server startup command-line, and then current server process quotas. The last three lines of the header provide a list of the categories being recorded, the filters in use, and the last, column headings described as follows: <ul class="list simple list0"> <li class="item"> <span class="high bold">time</span> the event was recorded <li class="item"> the <span class="high bold">module</span> name of the originating source code <li class="item"> the <span class="high bold">line</span> in the code module <li class="item"> a unique <span class="high bold">item</span> number for each thread being WATCHed <li class="item"> event <span class="high bold">category</span> name <li class="item"> free-form, but generally interpretable <span class="high bold">event</span> data </ul> <a class="imglink" target="_blank" href="./watchreport.png"><img class="image" src="./watchreport.png"></a> <p> Note that some items also include a block of data. The request header category does this, providing the blank-line terminated text comprising the HTTP header. Rule mapping also provides a block of information representing each rule as it is interpreted. Generally WATCH-generated information can be distinguished from other data by the uniform format and delimiting vertical bars. Initiative and imagination is sometimes required to interpret the free-form data but a basic understanding of HTTP serving and a little consideration is generally all that is required to deduce the essentials of any report. <div class="blockof code">01-NOV-2021 23:24:40 WATCH REPORT x86vms.lan:80 ------------------------------------------------- HTTPD_SSL 12.0.0 31-OCT-2021 07:38:27.62 DKA100:[WASD_ROOT.][X86_64]HTTPD_SSL.EXE (28-OCT-2021 02:51:54.41) HP TCPIP$IPC_SHR X6.0-12 (31-AUG-2021 20:01:12.49) OpenSSL 1.1.1k 25 Mar 2021 (Tue Mar 30 04:14:48 2021 UTC) [SYS0.SYSCOMMON.SSL111.INCLUDE]*.H SYS$COMMON:[SYSLIB]SSL111$LIBSSL_SHR32.EXE $ CC (V8.4-2L1/70430528) /DECC /STAND=RELAXED_ANSI /PREFIX=ALL /NAMES=UPPER /OPTIMIZE /NODEBUG /WARNING=(NOINFORM,DISABLE=(PREOPTW)) /FLOAT=IEEE /IEEE=DENORM /DEFINE=(WASD_VMS_V7,SESOLA,WATCH_CAT=1,WATCH_MOD=0,WASD_ACME=1,WASD_GETSPI=1) innotek GmbH VirtualBox with 2 CPUs and 3584MB running VMS V9.1-A (ODS-5 enabled, VMS NAML, VMS FIB, ODS-DIRECT enabled, ZLIB X00018292 (%RMS-E-FNF, file not found), REGEX enabled, lksb$b_valblk[64]) $ HTTPD /PRIORITY=4 /SYSUAF=(ID,SSL,PROXY)/PERSONA=RELAXED/PROFILE AST:1978/2000 BIO:1984/2000 BYT:4026752/4999424 DIO:977/1000 ENQ:462/500 FIL:293/300 PGFL:345472/512000 PRC:0/100 TQ:98/100 DCL Scripting: detached, as HTTP$NOBODY, PERSONA enabled Process: WASD:80 OTHER DKA100:[wasd_root.][startup]startup_server.com;1 DKA100:[wasd_root.][log_server]X86VMS_20211101015323.LOG;1 Instances: X86VMS::WASD:80 Watching: connect, request, req-header, response, error (539) via HTTP/2 Filter: NONE |Time_______|Module__|Line|Item__|Category__|Event...| |23:24:52.89 HTTP2REQ 0308 023002 CONNECT HTTP/2 begin 23 with gort.lan,53801| |++++++++++++++++++++++++++++++++++++++++++++ |23:24:52.89 HTTP2REQ 0324 023002 REQ-HEADER HEADER 371 bytes| GET /httpd/-/admin/ HTTP/1.1 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-encoding: br, gzip, deflate user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15 accept-language: en-au authorization: ******************************* host: x86vms.gets-it.net |23:24:52.89 REQUEST 3703 023002 REQ-HEADER DATA| ENTRY 001 [012] $ {12}request_line={28}GET /httpd/-/admin/ HTTP/1.1 ENTRY 002 [014] > {6}accept={63}text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ENTRY 003 [018] > {15}accept-encoding={17}br, gzip, deflate ENTRY 004 .001. > {10}user-agent={119}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15 ENTRY 005 [007] > {15}accept-language={5}en-au ENTRY 006 [031] > {13}authorization={30}****************************** ENTRY 007 [024] > {4}host={18}x86vms.gets-it.net |23:24:52.89 SERVICE 1747 023002 CONNECT VIRTUAL x86vms.gets-it.net:443| |23:24:52.89 REQUEST 4413 023002 REQUEST GET /httpd/-/admin/| |23:24:52.89 ADMIN 0265 023002 RESPONSE ADMIN /httpd/-/admin/| |23:24:52.89 REQUEST 1435 023002 REQUEST STATUS 200 (OK) rx:106 tx:19536 bytes 10.000ms 1,964,219 B/s| |-------------------------------------------- |23:24:52.89 HTTP2REQ 1165 023002 CONNECT HTTP/2 end 23 with gort.lan,53801| |23:24:53.40 HTTP2REQ 0308 025002 CONNECT HTTP/2 begin 25 with gort.lan,53801| |++++++++++++++++++++++++++++++++++++++++++++ |23:24:53.40 HTTP2REQ 0324 025002 REQ-HEADER HEADER 310 bytes| GET /rtt?ping HTTP/1.1 accept: */* accept-encoding: br, gzip, deflate user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15 accept-language: en-au referer: https://x86vms.gets-it.net/httpd/-/admin/ host: x86vms.gets-it.net |23:24:53.40 REQUEST 3703 025002 REQ-HEADER DATA| ENTRY 001 [012] $ {12}request_line={22}GET /rtt?ping HTTP/1.1 ENTRY 002 [014] > {6}accept={3}*/* ENTRY 003 [018] > {15}accept-encoding={17}br, gzip, deflate ENTRY 004 .001. > {10}user-agent={119}Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Safari/605.1.15 ENTRY 005 [007] > {15}accept-language={5}en-au ENTRY 006 [013] > {7}referer={41}https://x86vms.gets-it.net/httpd/-/admin/ ENTRY 007 [024] > {4}host={18}x86vms.gets-it.net |23:24:53.40 ADMIN 4414 025002 CONNECT RTT PING!| |23:24:53.40 REQUEST 1435 025002 REQUEST STATUS 204 (No Content) rx:60 tx:369 bytes 0.0s 0 B/s| |-------------------------------------------- |23:24:53.40 HTTP2REQ 1165 025002 CONNECT HTTP/2 end 25 with gort.lan,53801| </div> <a id="10.5" href="#"></a> <a id="10.5.usagesuggestions" href="#"></a> <a id="usagesuggestions" href="#"></a> <h2 class="head"><span class="numb">10.5</span><span class="text">Usage Suggestions</span></h2> <p> The following provides a brief explanation on the way WATCH operates and any usage implications. <p> A single client may be connected to the WATCH facility at any given time. When connecting the client is sent an HTTP response header and the WATCH report heading lines. The request then remains connected until the WATCH duration expires or the client overtly aborts the connection. During this period the browser behaves as if receiving a sometimes very slow, sometimes stalled, plain-text document. As the server processes WATCHable events the text generated is sent to the WATCH-connected client. <p> If the connection is aborted by the user some browsers will consider document retrieval to be incomplete and attempt to reconnect to the service if an attempt is made to print or save the resulting document. As the printing of WATCH information is often quite valuable during problem resolution this behaviour can result in loss of information and generally be quite annoying. Appropriate use of the duration selector when requesting a report can work around this, as at expiry the <span class="high italic">server</span> disconnects, browsers generally interpreting this as legitimate end-of-document (when no content-length has been specified). <p> During report processing some browsers may not immediately update the on-screen information to reflect received data without some application activity. If scroll-bars are present on the document window manipulating either the horizonal or vertical slider will often accomplish this. Failing that minimizing then restoring the application will usually result in the most recent information being visible. <p> Browser <span class="high italic">reload/refresh</span> may be used to restart the report. A browser will quite commonly attempt to remain at the current position in the document, which with a WATCH report's sustained but largely indeterminate data stream may take some time to reach. It is suggested the user ensure that any vertical scroll-bar is at the beginning of the current report, then refresh the report. <p> Selecting a large number of categories, those that generate copious output for a single event (e.g. response body) or collecting for extended periods can all result in the receipt of massive reports. Some browsers do not cope well with documents megabytes in size. <div class="note"><a id="10.5.0.0.0.1" href="#"></a> <a id="10.5.note" href="#"></a> <a id="note" href="#"></a> <h5 class="head center"><span class="text">Note</span></h5> <hr class="note_hr"> WATCH reports are written using non-blocking I/O into an internal buffer. This buffer is written when filled, or flushed at a one second interval. Slight latency may be experienced with sporadic WATCH report items. <hr class="note_hr"> </div> <p> <span class="high bold">When supplying WATCH output as part of a problem report</span> please ZIP the file and include it an an e-mail attachment. Mailers often mangle the report format making it difficult to interpret. <a id="10.6" href="#"></a> <a id="10.6.commandlineuse" href="#"></a> <a id="commandlineuse" href="#"></a> <h2 class="head"><span class="numb">10.6</span><span class="text">Command-Line Use</span></h2> <p> Although intended primarily as a tool for online use WATCH can be deployed at server startup with a command-line qualifier and provide report output to the server process log. This is slightly more cumbersome than the Web interface but may still be useful in some circumstances. Full control over event categories and filters is possible. <ul class="list"> <li class="item"> <span class="high bold">/NOWATCH</span> Disables the use of the online WATCH facility. <li class="item"> <span class="high bold">/WATCH=</span> Enables the server WATCH facility, dumping to standard output (and the server process log if detached). When in effect the online facility is unavailable. The string supplied to the qualifier may comprise four comma-separated components. Only the first is manadatory. Stated order is essential. It will probably be necessary to enclose the complete string in quotation marks. <ul class="list"> <li class="item"> <span class="high bold">LIST – </span> The LIST keyword provides a list of all the categories (items) available for WATCHing. <li class="item"> <span class="high bold">NOSTARTUP – </span> This keyword suppresses WATCH output until the server is ready to process requests. It must be the leading keyword. <li class="item"> <span class="high bold"> <span class="high italic">items</span> – </span> A parenthesized, comma-separated list of category keywords. Available keywords can be displayed using the LIST facility. <li class="item"> <span class="high bold"> <span class="high italic">filters</span> – </span> A client, service and path filters can be provided following the specification of required items. They must be provided in the order listed above. Leading filters that are not required must be provided as single, asterisk wildcards. WATCH parameter with filters containing forward-slashes will require quoting. </ul> </ul> <p> The following examples illustrate the command-line WATCH specification. <div class="blockof code">/NOWATCH /WATCH=NOSTARTUP,ITEMS=(REQUEST,RESPONSE,MAPPING) /WATCH="ITEMS=(REQUEST,RESPONSE,ERROR),*,*,/cgi-bin/*" /WATCH=LIST </div> <!-- source:1100_PERFORMANCE.WASDOC --> <hr class="page"> <a id="11." href="#"></a> <a id="11.serverperformance" href="#"></a> <a id="serverperformance" href="#"></a> <h1 class="head"><span class="numb">11.</span><span class="text">Server Performance</span></h1> <table class="TOC2table"> <tr><td><a href="#11.1.simplefilerequestturnaround"><span class="numb">11.1</span><span class="text">Simple File Request Turn-Around</span></a> <tr><td><a href="#11.2.scripting"><span class="numb">11.2</span><span class="text">Scripting</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#10.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#12.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <div class="note center"> <a id="11.0.0.0.1" href="#"></a> <a id="11.thesearev115results" href="#"></a> <a id="thesearev115results" href="#"></a> <h5 class="head center"><span class="text">These Are v11.5 Results</span></h5> <hr class="note_hr"> It is planned to evaluate x86-64 v12 performance once OpenVMS V9.2-1 and native compilers become available some time later in CY2022. <hr class="note_hr"> </div> <p> The server has a single-process, multi-threaded, asynchronous I/O design. On a single-processor system this is the most efficient approach. On a multi-processor system it is limited by the single process context (with scripts executing within their own context). For I/O constrained processing (the most common in general Web environments) the AST-driven approach is quite efficient. <p> The test-bench system was an <span class="high bold">DEC PWS 500 with 1 CPU and 1.5GB memory</span>, running <span class="high bold">VSI OpenVMS V8.4-2L1 and VSI TCP/IP TCPIP V5.7-13ECO5F</span>. <div class="note"> <a id="11.0.0.0.2" href="#"></a> <a id="11.sureanoldclunker" href="#"></a> <a id="sureanoldclunker" href="#"></a> <h5 class="head center"><span class="text">Sure, an old clunker</span></h5> <hr class="note_hr"> WASD largely has been developed on this system for 15+ years. <p> While by today's standards it is a very resource constrained system, especially by the EV56 (21164A) CPU, it has pretty-much done everything asked of it for all that time. Importantly, it has recent releases of system software, courtesy of VSI's ISV support programme. For performance purposes, this allows comparison with recent releases of CSWS (VMS Apache). <p> The requirements for a test-bench system effectively excludes production systems, especially external ones, hence working with what is at hand. <hr class="note_hr"> </div> <p> This performance data (WASD v11.5) has been collected very differently to the next most recent from over a decade ago (WASD v10.0). Apart from the move from an HP rx2600 to the vintage PWS 500, the previous benchmarking tools were WASD-in-house, ApacheBench (AB) and WASDbench (WB), executing on the same system as the server, eliminating network traffic <span class="high italic">on-the-wire</span>. The current absolute benchmarks cannot meaningfully be compared to previous data. The relativities seem to be comparable. <a id="11.0.0.0.3" href="#"></a> <a id="11.benchmarksetup" href="#"></a> <a id="benchmarksetup" href="#"></a> <h5 class="head"><span class="text">Benchmark Setup</span></h5> <p> These data have been collected using the <span class="high italic">h2load</span> utility (<a class="link blank" target="_blank" href="https://nghttp2.org/documentation/h2load.1.html">https://nghttp2.org/documentation/h2load.1.html</a>) from the HTTP/2 C Library (<a class="link blank" target="_blank" href="https://nghttp2.org">https://nghttp2.org</a>). This utility can be used to configurably load <span class="high bold">HTTP, HTTPS and HTTP/2</span> servers. Note that the number of client threads (<span class="high monosp">-t</span>) is explicitly set to the connection concurrency (<span class="high monosp">-c</span>) to maximise <span class="high italic">h2load</span> processing. <p> The <span class="high italic">h2load</span> utility is running on a an 8CPU 32GB Mac Pro, across a 500 Mbps LAN to the 100 Mbps interface of the PWS. The obvious resource constraints are the single PWS CPU and network interface. Every effort has been made to ensure these do not unreasonably constrain the comparison. <p> Clear text HTTP (port 80) data is collected to measure internal server processing without the CPU-intensive overhead of encryption. Encrypted HTTP (port 443) data provides more real-world scenarios (especially now clear-text is largely deprecated). Both WASD and Apache were using OpenSSL 1.1.1 and negotiated TLS v1.2. <p> Output from <span class="high italic">h2load</span> benchmarking runs are included in the <a class="link blank" target="_blank" href="/wasd_root/exercise/*v115*.txt">WASD_ROOT:[EXERCISE]*V115*.TXT</a> directory and is summarised below. <a id="11.0.0.0.4" href="#"></a> <a id="11.theseresultsareindicativeonly" href="#"></a> <a id="theseresultsareindicativeonly" href="#"></a> <h5 class="head"><span class="text">These results are indicative only!</span></h5> <p> Every endeavour has been made to ensure the comparison is as equitable as possible. Both servers execute at the same process priority, access logging and host name lookup disabled, and runs on the same machine in the same relatively quiescent environment. Each test run was interleaved between each server to try and distribute any environment variations. Those runs that are very high throughput use a larger number of requests to improve sample period validity. Both servers were configured pretty-much "out-of-the-box", minimal changes (generally just enough to get the test environment going). Multiple data collections have yielded essentially equivalent relative results. <p> For the test-bench WASD v11.5 is present on ports 80 and 443. <a id="11.0.0.0.5" href="#"></a> <a id="11.apachecomparison" href="#"></a> <a id="apachecomparison" href="#"></a> <h5 class="head"><span class="text">Apache Comparison</span></h5> <p> The Apache comparison used the latest VSI AXPVMS CSWS V2.4-38C (based on Apache v2.4.38) kit. Apache is present on ports 7780 and 7443. <a id="11.0.0.0.6" href="#"></a> <a id="11.osucomparison" href="#"></a> <a id="osucomparison" href="#"></a> <h5 class="head"><span class="text">OSU Comparison</span></h5> <p> Previous benchmarking included OSU data. These are no longer collected. <a id="11.1" href="#"></a> <a id="11.1.simplefilerequestturnaround" href="#"></a> <a id="simplefilerequestturnaround" href="#"></a> <h2 class="head"><span class="numb">11.1</span><span class="text">Simple File Request Turn-Around</span></h2> <p> A series of tests using batches of accesses. The first test returned an empty file measuring response and file access time, without any actual transfer. The second requested a file of 64k characters, testing performance with a more realistic load. All were done using one and ten concurrent requests. <div class="blockof block center"> <a id="11.1.0.0.1" href="#"></a> <a id="11.1.http11clear" href="#"></a> <a id="http11clear" href="#"></a> <h5 class="head under"><span class="text">HTTP/1.1 clear</span></h5> <a id="11.1.0.0.2" href="#"></a> <a id="11.1.concurrency1" href="#"></a> <a id="concurrency1" href="#"></a> <h5 class="head"><span class="text">Concurrency 1</span></h5> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh"> <th class="tabh" colspan="2">Requests/Second <th class="tabh" colspan="2">Data Rate MBps <tr class="tabr"> <th class="tabh">Response <th class="tabh">WASD <th class="tabh">Apache <th class="tabh">WASD <th class="tabh">Apache <tr class="tabr"> <td class="tabd">0k <td class="tabd">352 <td class="tabd">71 <td class="tabd">0.104 <td class="tabd">0.018 <tr class="tabr"> <td class="tabd">64k <td class="tabd">61 <td class="tabd">36 <td class="tabd">3.740 <td class="tabd">2.230 </table> <a id="11.1.0.0.3" href="#"></a> <a id="11.1.concurrency10" href="#"></a> <a id="concurrency10" href="#"></a> <h5 class="head"><span class="text">Concurrency 10</span></h5> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh"> <th class="tabh" colspan="2">Requests/Second <th class="tabh" colspan="2">Data Rate MBps <tr class="tabr"> <th class="tabh">Response <th class="tabh">WASD <th class="tabh">Apache <th class="tabh">WASD <th class="tabh">Apache <tr class="tabr"> <td class="tabd">0k <td class="tabd">1146 <td class="tabd">67 <td class="tabd">0.338 <td class="tabd">0.017 <tr class="tabr"> <td class="tabd">64k <td class="tabd">124 <td class="tabd">48 <td class="tabd">7.590 <td class="tabd">2.940 </table> <a id="11.1.0.0.4" href="#"></a> <a id="11.1.http11encrypted" href="#"></a> <a id="http11encrypted" href="#"></a> <h5 class="head under"><span class="text">HTTP/1.1 encrypted</span></h5> <a id="11.1.0.0.5" href="#"></a> <a id="11.1.concurrency1" href="#"></a> <a id="concurrency1" href="#"></a> <h5 class="head"><span class="text">Concurrency 1</span></h5> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh"> <th class="tabh" colspan="2">Requests/Second <th class="tabh" colspan="2">Data Rate MBps <tr class="tabr"> <th class="tabh">Response <th class="tabh">WASD <th class="tabh">Apache <th class="tabh">WASD <th class="tabh">Apache <tr class="tabr"> <td class="tabd">0k <td class="tabd">276 <td class="tabd">51 <td class="tabd">0.092 <td class="tabd">0.013 <tr class="tabr"> <td class="tabd">64k <td class="tabd">21 <td class="tabd">25 <td class="tabd">1.300 <td class="tabd">1.550 </table> <a id="11.1.0.0.6" href="#"></a> <a id="11.1.concurrency10" href="#"></a> <a id="concurrency10" href="#"></a> <h5 class="head"><span class="text">Concurrency 10</span></h5> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh"> <th class="tabh" colspan="2">Requests/Second <th class="tabh" colspan="2">Data Rate MBps <tr class="tabr"> <th class="tabh">Response <th class="tabh">WASD <th class="tabh">Apache <th class="tabh">WASD <th class="tabh">Apache <tr class="tabr"> <td class="tabd">0k <td class="tabd">175 <td class="tabd">46 <td class="tabd">0.580 <td class="tabd">0.112 <tr class="tabr"> <td class="tabd">64k <td class="tabd">39 <td class="tabd">24 <td class="tabd">2.360 <td class="tabd">1.440 </table> <a id="11.1.0.0.7" href="#"></a> <a id="11.1.http2encrypted" href="#"></a> <a id="http2encrypted" href="#"></a> <h5 class="head under"><span class="text">HTTP/2 (encrypted)</span></h5> <p> (VMS Apache currently does not support HTTP/2) <a id="11.1.0.0.8" href="#"></a> <a id="11.1.concurrency1" href="#"></a> <a id="concurrency1" href="#"></a> <h5 class="head"><span class="text">Concurrency 1</span></h5> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh"> <th class="tabh" colspan="2">Requests/Second <th class="tabh" colspan="2">Data Rate MBps <tr class="tabr"> <th class="tabh">Response <th class="tabh">WASD <th class="tabh">Apache <th class="tabh">WASD <th class="tabh">Apache <tr class="tabr"> <td class="tabd">0k <td class="tabd">191 <td class="tabd">- <td class="tabd">0.286 <td class="tabd">- <tr class="tabr"> <td class="tabd">64k <td class="tabd">20 <td class="tabd">- <td class="tabd">1.210 <td class="tabd">- </table> <a id="11.1.0.0.9" href="#"></a> <a id="11.1.concurrency10" href="#"></a> <a id="concurrency10" href="#"></a> <h5 class="head"><span class="text">Concurrency 10</span></h5> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh"> <th class="tabh" colspan="2">Requests/Second <th class="tabh" colspan="2">Data Rate MBps <tr class="tabr"> <th class="tabh">Response <th class="tabh">WASD <th class="tabh">Apache <th class="tabh">WASD <th class="tabh">Apache <tr class="tabr"> <td class="tabd">0k <td class="tabd">156 <td class="tabd">- <td class="tabd">0.240 <td class="tabd">- <tr class="tabr"> <td class="tabd">64k <td class="tabd">37 <td class="tabd">- <td class="tabd">2.250 <td class="tabd">- </table> </div> <p> Data file (non-relevant output snipped): <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="/wasd_root/exercise/perf_files_v115.txt">WASD_ROOT:[EXERCISE]PERF_FILES_V115.TXT</a> </ul> <a id="11.1.0.0.10" href="#"></a> <a id="11.1.filetransferrate" href="#"></a> <a id="filetransferrate" href="#"></a> <h5 class="head"><span class="text">File Transfer Rate</span></h5> <p> Requests for a large <span class="high italic">binary</span> file (3.92MB - 8039 blocks) indicate a <span class="high bold">potential transfer rate of multiple Mbytes per second</span>. <div class="blockof block center"><a id="11.1.0.0.11" href="#"></a> <a id="11.1.dataratembytessecond" href="#"></a> <a id="dataratembytessecond" href="#"></a> <h5 class="head"><span class="text">Data Rate - MBytes/Second</span></h5> <p> (VMS Apache currently does not support HTTP/2) <table class="tabu tabauto"> <tr class="tabr"> <td class="tabd"> <th class="tabh">Concurrent <th class="tabh">WASD <th class="tabh">Apache <tr class="tabr"> <th class="tabh" colspan="1" rowspan="2">HTTP/1.1<br>(clear) <td class="tabd">1 <td class="tabd">6.07 <td class="tabd">4.40 <tr class="tabr"> <td class="tabd">10 <td class="tabd">8.85 <td class="tabd">8.70 <tr class="tabr"> <th class="tabh" colspan="1" rowspan="2">HTTP/1.1<br>(encrypted) <td class="tabd">1 <td class="tabd">2.91 <td class="tabd">3.23 <tr class="tabr"> <td class="tabd">10 <td class="tabd">2.77 <td class="tabd">2.92 <tr class="tabr"> <th class="tabh" colspan="1" rowspan="2">HTTP/2<br>(encrypted) <td class="tabd">1 <td class="tabd">2.77 <td class="tabd">- <tr class="tabr"> <td class="tabd">10 <td class="tabd">2.80 <td class="tabd">- </table> </div> <p> Data file (non-relevant output snipped): <ul class="list simple"> <li class="item"> <a class="link blank" target="_blank" href="/wasd_root/exercise/perf_xfer_v115.txt">WASD_ROOT:[EXERCISE]PERF_XFER_V115.TXT</a> </ul> <a id="11.1.0.0.12" href="#"></a> <a id="11.1.filerecordformat" href="#"></a> <a id="filerecordformat" href="#"></a> <h5 class="head"><span class="text">File Record Format</span></h5> <p> The WASD server can handle STREAM, STREAM_LF, STREAM_CR, FIXED and UNDEFINED record formats very much more efficiently than VARIABLE or VFC files. With STREAM, FIXED and UNDEFINED files the assumption is that HTTP carriage-control is within the file itself (i.e. at least the newline (LF), all that is required required by browsers), and does not require additional processing. With VARIABLE record files the carriage-control is implied and therefore each record requires additional processing by the server to supply it. Even with variable record files having multiple records buffered by the HTTPd before writing them collectively to the network improving efficiency, stream and binary file reads are by Virtual Block and are written to the network immediately making the transfer of these very efficient indeed! <a id="11.2" href="#"></a> <a id="11.2.scripting" href="#"></a> <a id="scripting" href="#"></a> <h2 class="head"><span class="numb">11.2</span><span class="text">Scripting</span></h2> <p> A simple performance evaluation shows the relative merits of WASD scripting and Apache in CGI and persistent environments, using <a class="link blank" target="_blank" href="/wasd_root/src/cgiplus/cgiplustest.c">WASD_ROOT:[SRC.CGIPLUS]CGIPLUSTEST.C</a> which executes in standard CGI, CGIplus and Apache loadable module environments. CGIplus and Apache modules are somewhat analagous. A series of accesses were made. The first test returned only the HTTP header, evaluating raw request turn-around time. The second test requested a body of 64k characters, again testing performance with a more realistic load. <div class="blockof block center"> <a id="11.2.0.0.1" href="#"></a> <a id="11.2.concurrency1requestssecond" href="#"></a> <a id="concurrency1requestssecond" href="#"></a> <h5 class="head"><span class="text">Concurrency 1 - Requests/Second</span></h5> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh">Response <th class="tabh">WASD CGI <th class="tabh">WASD CGIplus <th class="tabh">Apache CGI <th class="tabh">Apache module <tr class="tabr"> <td class="tabd">0kB <td class="tabd">27 <td class="tabd">193 <td class="tabd">5 <td class="tabd">52 <tr class="tabr"> <td class="tabd">64kB <td class="tabd">14 <td class="tabd">25 <td class="tabd">5 <td class="tabd">31 </table> <a id="11.2.0.0.2" href="#"></a> <a id="11.2.concurrency10requestssecond" href="#"></a> <a id="concurrency10requestssecond" href="#"></a> <h5 class="head"><span class="text">Concurrency 10 - Requests/Second</span></h5> <table class="tabu tabauto"> <tr class="tabr"> <th class="tabh">Response <th class="tabh">WASD CGI <th class="tabh">WASD CGIplus <th class="tabh">Apache CGI <th class="tabh">Apache module <tr class="tabr"> <td class="tabd">0kB <td class="tabd">28 <td class="tabd">337 <td class="tabd">4 <td class="tabd">51 <tr class="tabr"> <td class="tabd">64kB <td class="tabd">16 <td class="tabd">65 <td class="tabd">4 <td class="tabd">37 </table> </div> <p> Data file (non-relevant output snipped): <ul class="list simple list0"> <li class="item"> <a class="link blank" target="_blank" href="/wasd_root/exercise/perf_scripts_v115.txt">WASD_ROOT:[EXERCISE]PERF_SCRIPTS_V115.TXT</a> </ul> <a id="11.2.0.0.3" href="#"></a> <a id="11.2.persistentscripting" href="#"></a> <a id="persistentscripting" href="#"></a> <h5 class="head"><span class="text">Persistent Scripting</span></h5> <p> CGI scripting is notoriously slow (as above), hence the effort expended by designers in creating persistent scripting environments - those where the scripting engine (and perhaps other state) is maintained between requests. Both WASD and Apache implement these as integrated features, the former as <span class="high bold">CGIplus/RTE</span>, and in the latter as <span class="high bold">loadable modules</span>. <p> The <span class="high italic">CGIplus</span> and <span class="high italic">Apache module</span> data from the above CGIPLUSTEST.EXE table show the benefits of having scripts persist, reducing activation latency, thereby increasing throughput, and potentially retaining state, including the scripts themselves in local caches. Both WASD and VMS Apache use their respective <span class="high bold">persistence technologies</span> to provide common scripting environments, including <span class="high bold">Perl</span>, <span class="high bold">PHP</span> and <span class="high bold">Python</span>. <p> The WASD CGIplus/RTE technology used to implement its persistent scripting environments are available for general use and based on CGI principles offer a ready adaptation of well-known principles. Most site-specific scripts can also be built using the libraries, code fragments, and example scripts provided with the WASD package, and obtain similar efficiencies and low latencies. See <a class="link blank" target="_blank" href="../../scripting/scripting.html">WASD Scripting Environment</a> document. <!-- source:1200_UPDATE.WASDOC --> <hr class="page"> <a id="12." href="#"></a> <a id="12.httpdwebupdate" href="#"></a> <a id="httpdwebupdate" href="#"></a> <h1 class="head"><span class="numb">12.</span><span class="text">HTTPd Web Update</span></h1> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#11.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#13.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> The <span class="high bold">Upd</span>ate facility allows Web documents and file environments to be administered from a standard browser. This capability is available to Web administrator and user alike. Availability and capability depends on the authorization environment within the server. <p> It <span class="high bold">should be stressed</span> that this is not designed as a full hypertext administration or authoring tool, and for document preparation relies on the editing capabilities of the <TEXTAREA> widget of the user's browser. It does however, allow <span class="high bold">ad-hoc changes</span> to be made to documents fairly easily, as well as allowing documents to be deleted, and directories to be created and deleted. <p> Consult the <a class="link blank" target="_blank" href="https://wasd.kicks-ass.net/httpd/-/updhelp.html">Current UPDate documentation</a> for usage detail. <p> Here is <a class="link blank" target="_blank" href="/upd/wasd_root/">an example of the interface</a> (access may be denied). <a class="imglink" target="_blank" href="./update.png"><img class="image" src="./update.png"></a> <a class="imglink" target="_blank" href="./edit.png"><img class="image" src="./edit.png"></a> <a id="12.0.0.0.1" href="#"></a> <a id="12.updateaccesspermission" href="#"></a> <a id="updateaccesspermission" href="#"></a> <h5 class="head"><span class="text">Update Access Permission</span></h5> <p> If SSL is in use (see <a class="link" href="#4.transportlayersecurity">4. Transport Layer Security</a>) then username/password privacy of the authorization environment is inherently secured via the encrypted communications. To restrict web update functionality to this secure environment add the following to the WASD_CONFIG_MAP configuration file: <div class="blockof code">/upd/* "403 Access denied." ![sc:https] </div> <p> Of course, the user must have write (POST/PUT) access to the document or area on the server (i.e. the <span class="high italic">path</span>) and the server account have file system permission to write into the <span class="high under">parent directory</span>. <p> The server will report "Insufficient privilege or object protection violation ... /path/document" if it does not have file system permission to write into a directory. <p> Also see <a class="link" href="#3.13.controllingserverwriteaccess">3.13 Controlling Server Write Access</a> for information on write access control for the server account. <!-- source:1300_UTILITIES.WASDOC --> <hr class="page"> <a id="13." href="#"></a> <a id="13.utilitiesandfacilities" href="#"></a> <a id="utilitiesandfacilities" href="#"></a> <h1 class="head"><span class="numb">13.</span><span class="text">Utilities and Facilities</span></h1> <div class="TOC2cols2"> <table class="TOC2table"> <tr><td><a href="#13.1.echofacility"><span class="numb">13.1</span><span class="text">Echo Facility</span></a> <tr><td><a href="#13.2.hissfacility"><span class="numb">13.2</span><span class="text">Hiss Facility</span></a> <tr><td><a href="#13.3.streamfacility"><span class="numb">13.3</span><span class="text">Stream Facility</span></a> <tr><td><a href="#13.4.wherefacility"><span class="numb">13.4</span><span class="text">Where Facility</span></a> <tr><td><a href="#13.5.xrayfacility"><span class="numb">13.5</span><span class="text">Xray Facility</span></a> <tr><td><a href="#13.6.calogs"><span class="numb">13.6</span><span class="text">CALogs</span></a> <tr><td><a href="#13.7.cspreporter"><span class="numb">13.7</span><span class="text">CSPreport[er]</span></a> <tr><td><a href="#13.8.htadmin"><span class="numb">13.8</span><span class="text">HTAdmin</span></a> <tr><td><a href="#13.9.httpdmonitor"><span class="numb">13.9</span><span class="text">HTTPd Monitor</span></a> <tr><td><a href="#13.10.md5digest"><span class="numb">13.10</span><span class="text">MD5digest</span></a> <tr><td><a href="#13.11.qdlogstats"><span class="numb">13.11</span><span class="text">QDLogStats</span></a> <tr><td><a href="#13.12.sechanutility"><span class="numb">13.12</span><span class="text">SECHAN Utility</span></a> <tr><td><a href="#13.13.streamlfutility"><span class="numb">13.13</span><span class="text">StreamLF Utility</span></a> <tr><td><a href="#13.14.wasteeutility"><span class="numb">13.14</span><span class="text">WAStee Utility</span></a> <tr><td><a href="#13.15.wotsuputility"><span class="numb">13.15</span><span class="text">WOTSUP Utility</span></a> </table> </div> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#12.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#14.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <p> Foreign commands for external utilities (and the HTTPD control functionality) will need to be assigned from the adminstration users' LOGIN.COM either explicitly or by calling the <a class="link blank" target="_blank" href="/wasd_root/example/wasdverbs.com">WASD_ROOT:[EXAMPLE]WASDVERBS.COM</a> procedure. <div class="blockof code">$ AB == "$WASD_EXE:AB" $ HTTPD == "$WASD_EXE:HTTPD" $ HTTPDMON == "$WASD_EXE:HTTPDMON" $ MD5DIGEST == "$WASD_EXE:MD5DIGEST" $ QDLOGSTATS == "$WASD_EXE:QDLOGSTATS" $ SECHAN == "$WASD_EXE:SECHAN" $ STREAMLF == "@WASD_EXE:STREAMLF" $ WB == "$WASD_EXE:WB" </div> <a id="13.1" href="#"></a> <a id="13.1.echofacility" href="#"></a> <a id="echofacility" href="#"></a> <h2 class="head"><span class="numb">13.1</span><span class="text">Echo Facility</span></h2> <p> Ever had to go to extraordinary lengths to find out exactly what your browser is sending to the server? The server provides a request echo facility. This merely returns the complete request as a plain-text document. This can be used for for checking the request header lines being provided by the browser, and can be valuable in the diagnosis of POSTed forms, etc. <p> This facility must be enabled through a mapping rule entry. <div class="blockof code">script /echo/* /echo/* </div> <p> It may then be used with any request merely by inserting "/echo" at the start of the path, as in the following example. <div class="blockof code">http://www.example.com/echo/wasd_root/ </div> <a id="13.2" href="#"></a> <a id="13.2.hissfacility" href="#"></a> <a id="hissfacility" href="#"></a> <h2 class="head"><span class="numb">13.2</span><span class="text">Hiss Facility</span></h2> <p> The <span class="high italic">hiss</span> facility provides a response stream made up of random alpha-numeric characters (a sort of alpha-numeric white-noise). No response header is generated and the stream will continue (by default) up to one megabyte of output, or until the client closes the connection. This maximum may be controlled my appending an integer representing the number of kilobytes maximum to the mapping. This facility must be enabled through a mapping rule entry and may then be used for specific requests. <div class="blockof code">map /**.dll* /hiss/64/*.dll* map /**/system32/* /hiss/64/*/system32/* map /**default.ida* /hiss/64/*default.ida* script /hiss/* /hiss/* </div> <p> Usage details are described in <a class="link blank" target="_blank" href="../config/#securityconsiderations">Security Considerations</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <a id="13.3" href="#"></a> <a id="13.3.streamfacility" href="#"></a> <a id="streamfacility" href="#"></a> <h2 class="head"><span class="numb">13.3</span><span class="text">Stream Facility</span></h2> <p> The <span class="high italic">stream</span> facility provides a quantified or unlimited response stream of printable or binary octets. It is intended as a light-weight data source delivering content at the maximum throughput capable by the server and platform. This can be used as a test source or for end-to-end metrics. This facility must be enabled through a mapping rule. <div class="blockof code">script /stream/* /stream/* </div> <p> It may then be used to generate streams of data with various characteristics and sizes by including parameters in the URL. <ul class="list"> <li class="item"> Without parameters it produces a text/plain response header with unlimited stream of random 8 bit printable and newline characters. The stream ceases at client disconnection. <div class="blockof code">http://www.example.com/stream/ </div> <li class="item"> With an integer parameter the stream ceases when the response has delivered that many kilobytes (1024) of characters. <div class="blockof code">http://www.example.com/stream/50/ </div> <li class="item"> A 100 kilobyte stream of repeated 80 column, newline terminated characters in the range "+" (0x2b) to "z" (ox7a). Intended to provide an entirely predictable sequence for testing purposes. <div class="blockof code">http://www.example.com/stream/text:100/ </div> <li class="item"> The following produces an application/binary response header with unlimited stream of random octets. <div class="blockof code">http://www.example.com/stream/binary/ </div> <li class="item"> One megabyte of random octets. <div class="blockof code">http://www.example.com/stream/binary:1024/ </div> <li class="item"> An unlimited stream of octets cycling from 0x00 to 0xff. Intended to provide an entirely predictable sequence for testing purposes. <div class="blockof code">http://www.example.com/stream/octets/ </div> </ul> <a id="13.4" href="#"></a> <a id="13.4.wherefacility" href="#"></a> <a id="wherefacility" href="#"></a> <h2 class="head"><span class="numb">13.4</span><span class="text">Where Facility</span></h2> <p> Need to locate where VMS has the HTTPd files? This simple facility maps the supplied path then parses it to obtain a resulting VMS file specification. <span class="high bold">This does not demonstrate whether the path actually exists!</span> <p> This facility must be enabled through a mapping rule entry. <div class="blockof code">script /where/* /where/* </div> <p> It may then be used with any request merely by inserting "/where" at the start of the path, as in the following example. <div class="blockof code">http://www.example.com/where/wasd_root/ </div> <a id="13.5" href="#"></a> <a id="13.5.xrayfacility" href="#"></a> <a id="xrayfacility" href="#"></a> <h2 class="head"><span class="numb">13.5</span><span class="text">Xray Facility</span></h2> <p> The Xray facility returns a request's complete response, <span class="high bold">both header and body</span>, as a plain text document. Being able to <span class="high italic">see</span> the internals of the response header as well as the contents of the body rendered in plain text can often be valuable when developing scripts, etc. <p> This facility must be enabled through a mapping rule entry. <div class="blockof code">script /Xray/* /Xray/* </div> <p> It may then be used with any request merely by inserting "/xray" at the start of the path, as in the following example. <div class="blockof code">http://www.example.com/xray/wasd_root/ </div> <a id="13.6" href="#"></a> <a id="13.6.calogs" href="#"></a> <a id="calogs" href="#"></a> <h2 class="head"><span class="numb">13.6</span><span class="text">CALogs</span></h2> <p> The Consolidate Access LOGS utility (pronounced similar to the breakfast cereal brand :-) merges multiple HTTP server common and combined format access logs into a single log file with records in time-order. Due to the granularity of HTTP server entry timestamps (one second) the records are sorted to the one second but not within the one second. <p> It uses RMS and the VMS sort-merge routines to provide the basic consolidation functionality. An RMS search uses the supplied wildcard log file specification. Matching files are opened and each record read. The date/time field is parsed and a binary timestamp generated. Records with formats or date/time fields that do not make sense to the utility are discarded. When all files have been processed the sort-merge is performed using the timestamp as the key. The sorted records are then written to the specified output file. <p> <span class="high bold">$ calogs <log-file-spec> [<output-file-name>] [<qualifiers>]</span> <p> <a id="13.6.0.0.1" href="#"></a> <a id="13.6.parametersandqualifiers" href="#"></a> <a id="parametersandqualifiers" href="#"></a> <h5 class="head"><span class="text">Parameters and Qualifiers</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Parameter <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">/HELP <td class="tabd">basic usage information <tr class="tabr"> <td class="tabd">/NOPROXY <td class="tabd">discard proxy service records <tr class="tabr backlight"> <td class="tabd">/NOWASD <td class="tabd">discard WASD server status/timestamp entries <tr class="tabr"> <td class="tabd">/OUTPUT= <td class="tabd">alternate method of specifying merged file name <tr class="tabr backlight"> <td class="tabd">/PROXY <td class="tabd">discard non-proxy service records <tr class="tabr"> <td class="tabd">/QUIET <td class="tabd">no messages apart from errors <tr class="tabr backlight"> <td class="tabd">/VERBOSE <td class="tabd">per-file progress messages <tr class="tabr"> <td class="tabd">/VERSION <td class="tabd">display the utility version and copyright message </table> <a id="13.6.0.0.2" href="#"></a> <a id="13.6.usageexamples" href="#"></a> <a id="usageexamples" href="#"></a> <h5 class="head"><span class="text">Usage Examples</span></h5> <div class="blockof code">$ CALOGS == "$WASD_EXE:CALOGS" $ CALOGS WASD_LOGS:*200205*.LOG 2002_MAY.LOG $ CALOGS /VERBOSE WASD_LOGS: $ CALOGS /NOWASD WASD_LOGS:*200206*.LOG_* /OUTPUT=2002_JUNE.LOG $ CALOGS /PROXY /NOWASD WASD_LOGS:*2002*.LOG 2002_PROXY.LOG </div> <a id="13.7" href="#"></a> <a id="13.7.cspreporter" href="#"></a> <a id="cspreporter" href="#"></a> <h2 class="head"><span class="numb">13.7</span><span class="text">CSPreport[er]</span></h2> <p> Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. <p class="indent"> <a class="link blank" target="_blank" href="https://en.wikipedia.org/wiki/Content_Security_Policy">https://en.wikipedia.org/wiki/Content_Security_Policy</a> <br> <a class="link blank" target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP</a> <p> WASD provides CSP support using mapping rules. See <a class="link blank" target="_blank" href="../config/#contentsecuritypolicycsp">Content Security Policy (CSP)</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>. <p> When POSTed to, this utility appends a timestamp and CSP report JSON to the file specified by the CSPREPORT_FILE logical name. This file must be located somewhere the scripting account has read+write access to. When accessed using a GET the utility accesses the stored CSP reports and returns a formatted HTML report listing each. GET requests (reporting) must be subject to authentication and authorisation. <p> For further infomation check the descriptive prologue in the <a class="link blank" target="_blank" href="/wasd_root/src/utils/cspreport.c">WASD_ROOT:[SRC.UTILS]CSPREPORT.C</a> source code. <a id="13.8" href="#"></a> <a id="13.8.htadmin" href="#"></a> <a id="htadmin" href="#"></a> <h2 class="head"><span class="numb">13.8</span><span class="text">HTAdmin</span></h2> <p> The HTAdmin utility assists in with the command-line maintenance of $HTA authorization databases. See <a class="link blank" target="_blank" href="../config/#authorizationconfigurationbasics">Authorization Configuration (Basics)</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a> and <a class="link" href="#3.authenticationandauthorization">3. Authentication and Authorization</a>. <p> <span class="high bold"> htadmin <database> [<username>] [<qualifiers>]</span> <a id="13.8.0.0.1" href="#"></a> <a id="13.8.parametersandqualifiers" href="#"></a> <a id="parametersandqualifiers" href="#"></a> <h5 class="head"><span class="text">Parameters and Qualifiers</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Parameter <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">/ADD <td class="tabd">add a new record <tr class="tabr"> <td class="tabd">/CONFIRM <td class="tabd">confirm deletion of database <tr class="tabr backlight"> <td class="tabd">/CONTACT="<string>" <td class="tabd">contact information for record <tr class="tabr"> <td class="tabd">/CREATE <td class="tabd">create a new database <tr class="tabr backlight"> <td class="tabd">/CSV[=TAB|char] <td class="tabd">comma-separated listing (optional character) <tr class="tabr"> <td class="tabd">/DATABASE= <td class="tabd">database name (or as command-line parameter) <tr class="tabr backlight"> <td class="tabd">/DELETE <td class="tabd">delete a database or username record from a database <tr class="tabr"> <td class="tabd">/DISABLED <td class="tabd">username record is disabled (cannot be used) <tr class="tabr backlight"> <td class="tabd">/EMAIL="<string>" <td class="tabd">email address for record <tr class="tabr"> <td class="tabd">/ENABLED <td class="tabd">username record is enabled (can be used) <tr class="tabr backlight"> <td class="tabd">/FULL <td class="tabd">listing showing full details <tr class="tabr"> <td class="tabd">/GENERATE <td class="tabd">generate a six character password <tr class="tabr backlight"> <td class="tabd">/HELP <td class="tabd">basic usage information <tr class="tabr"> <td class="tabd">/[NO]HTTPS <td class="tabd">synonym for /SSL <tr class="tabr backlight"> <td class="tabd">/LIST <td class="tabd">listing (brief by default, see /FULL and /CSV) <tr class="tabr"> <td class="tabd">/MODIFY <td class="tabd">synonym for /UPDATE <tr class="tabr backlight"> <td class="tabd">/NAME="<string>" <td class="tabd">full name for username record <tr class="tabr"> <td class="tabd">/OUTPUT= <td class="tabd">alternate output for database listing <tr class="tabr backlight"> <td class="tabd">/PASSWORD[=<string>] <td class="tabd">username record password (prompts if not supplied) <tr class="tabr"> <td class="tabd">/PIN <td class="tabd">generate four-digit "PIN number" for password <tr class="tabr backlight"> <td class="tabd">/[NO]READ <td class="tabd">username can/can't read <tr class="tabr"> <td class="tabd">/SORT[=<parameters>] <td class="tabd">sort the records into a new/another database <tr class="tabr backlight"> <td class="tabd">/[NO]SSL <td class="tabd">user can only authenticate via SSL ("https:") <tr class="tabr"> <td class="tabd">/[NO]WRITE <td class="tabd">username can/can't write <tr class="tabr backlight"> <td class="tabd">/UPDATE <td class="tabd">update an existing username record <tr class="tabr"> <td class="tabd">/USER=<string> <td class="tabd">username <tr class="tabr backlight"> <td class="tabd">/VERSION <td class="tabd">display version of HTADMIN </table> <a id="13.8.0.0.2" href="#"></a> <a id="13.8.usageexamples" href="#"></a> <a id="usageexamples" href="#"></a> <h5 class="head"><span class="text">Usage Examples</span></h5> <ul class="list"> <li class="item"> To create a new database named EXAMPLE.$HTA (in the current directory) <div class="blockof code">$ HTADMIN EXAMPLE /CREATE </div> <li class="item"> Delete an existing database <div class="blockof code">$ HTADMIN EXAMPLE /DELETE /CONFIRM </div> <li class="item"> List (briefly) the records <div class="blockof code">$ HTADMIN EXAMPLE </div> <li class="item"> List (briefly) the specific user record DANIEL <div class="blockof code">$ HTADMIN EXAMPLE DANIEL </div> <li class="item"> List all detail (132 colums) of the specified user record <div class="blockof code">$ HTADMIN EXAMPLE DANIEL /FULL </div> <li class="item"> To add the new record DANIEL with default read access <div class="blockof code">$ HTADMIN EXAMPLE DANIEL /ADD /NAME="Mark Daniel" </div> <li class="item"> Add the new record DANIEL with contact details and read+write access <div class="blockof code">$ HTADMIN EXAMPLE DANIEL /ADD /WRITE /CONTACT="Postal Address" </div> <li class="item"> Add the new record DANIEL and be prompted for a password, or to specify the password on the command-line, or have the utility generate a password or four-digit PIN style password (which is displayed after the record is sucessfully added) <div class="blockof code">$ HTADMIN EXAMPLE DANIEL /ADD /NAME="Mark Daniel" /PASSWORD $ HTADMIN EXAMPLE DANIEL /ADD /NAME="Mark Daniel" /PASSWORD=cher10s $ HTADMIN EXAMPLE DANIEL /ADD /NAME="Mark Daniel" /GENERATE $ HTADMIN EXAMPLE DANIEL /ADD /NAME="Mark Daniel" /PIN </div> <li class="item"> To update an existing record <div class="blockof code">$ HTADMIN EXAMPLE DANIEL /UPDATE /EMAIL="Mark.Daniel@wasd.vsm.com.au" </div> <li class="item"> Update the specified record's password (interactively) then to generate a four digit PIN for a password (which is then displayed) <div class="blockof code">$ HTADMIN EXAMPLE DANIEL /UPDATE /PASSWORD $ HTADMIN EXAMPLE DANIEL /UPDATE /GENERATE $ HTADMIN EXAMPLE DANIEL /UPDATE /PIN </div> <li class="item"> Disable then enable an existing user record without changing anything else <div class="blockof code">$ HTADMIN EXAMPLE DANIEL /UPDATE /DISABLE $ HTADMIN EXAMPLE DANIEL /UPDATE /ENABLE </div> <li class="item"> To list the entire database, first briefly, then in 132 column mode (with all detail), then finally as a comma-separated listing <div class="blockof code">$ HTADMIN EXAMPLE $ HTADMIN EXAMPLE /FULL $ HTADMIN EXAMPLE /CSV </div> </ul> <a id="13.8.0.0.3" href="#"></a> <a id="13.8.sortdetails" href="#"></a> <a id="sortdetails" href="#"></a> <h5 class="head"><span class="text">Sort Details</span></h5> <p> The /SORT qualifier sorts the current database records according to the /SORT= parameters. It can be used with the /LIST qualifier to produce ordered reports or will output the records into another authentication file. By default it sorts ascending by username. Qualifier parameters allow a sort by DATE or COUNT. Each of these allows the further specification of which date or count; ACCESS, CHANGE or FAILURE. <ul class="list"> <li class="item"> Generating a listing with specified order <div class="blockof code">$ HTADMIN EXAMPLE /LIST /SORT=DATE=ACCESS $ HTADMIN EXAMPLE /LIST /SORT=COUNT=FAILURE /OUTPUT=EXAMPLE.LIS </div> <li class="item"> Sort descending by username into a higher version of EXAMPLE.$HTA <div class="blockof code">$ HTADMIN EXAMPLE /SORT </div> <li class="item"> To sort by username into another .$HTA file <div class="blockof code">$ HTADMIN EXAMPLE /SORT /OUTPUT=ANOTHER </div> <li class="item"> List by most-recently accessed <div class="blockof code">$ HTADMIN EXAMPLE /LIST /SORT=DATE </div> <li class="item"> List by most-recently failed to authenticate <div class="blockof code">$ HTADMIN EXAMPLE /LIST /SORT=DATE=FAILURE </div> <li class="item"> Sort file into order by most frequently authenticated (accessed) <div class="blockof code">$ HTADMIN EXAMPLE /SORT=COUNT </div> </ul> <a id="13.9" href="#"></a> <a id="13.9.httpdmonitor" href="#"></a> <a id="httpdmonitor" href="#"></a> <h2 class="head"><span class="numb">13.9</span><span class="text">HTTPd Monitor</span></h2> <p> The HTTP server may be monitored in real-time using the HTTPDMON utility. <a class="imglink" target="_blank" href="./httpdmon.png"><img class="image" src="./httpdmon.png"></a> <p> This utility continuously displays a screen of information comprising four or five of the following sections: <ol class="list"> <li class="item"> <span class="high bold">System Information</span> <br> The nodename, instance number(s), monitor version and current date/time. <li class="item"> <span class="high bold">Process Information</span> <br> HTTPd process information includes its up-time, CPU-time consumed (excluding any subprocesses), I/O counts, and memory utilization. The "Servers:" item shows how many servers are currently running on the node/cluster. Changes in this count are indicated by the second, parenthesized number. <li class="item"> <span class="high bold">General Server Counters</span> <br> The server counters keep track of the total connections received, accepted, rejected, etc., totals for each request type (file transfer, directory listing, image mapping, etc.). <br> <sup>**</sup> The request count of 3.8M is a real value, as are the others, with the screenshot taken during x86-64 (V9.1-A) testing using OWASP ZAP. <li class="item"> <span class="high bold">Proxy Serving Counters</span> <br> The server counters keep track of proxy serving connections, network and cache traffic, cache status, etc. <li class="item"> <span class="high bold">Latest Request</span> <br> This section provides the response status code, and some transaction statistics, the service being accessed, originating host and HTTP request. Note that long request strings may be truncated (indicated by a bolded ellipsis). <li class="item"> <span class="high bold">Status Message</span> <br> If the server is in an exceptional condition, for example exited after a fatal error, starting up, etc., a textual message may be displayed in place of the the request information. This may be used to initiate remedial actions, etc. </ol> <p> The "/HELP" qualifier provides a brief usage summary. <p> The server counter values are carried over when a server (re)starts (provided the system has stayed up). To reset the counters use the online Server Administration facility (<a class="link" href="#9.serveradministration">9. Server Administration</a>). <p> If [DNSlookup] is disabled for the HTTP server the HTTPDMON utility attempts to resolve the literal address into a host name. This may be disabled using the /NORESOLVE qualifier. <a id="13.10" href="#"></a> <a id="13.10.md5digest" href="#"></a> <a id="md5digest" href="#"></a> <h2 class="head"><span class="numb">13.10</span><span class="text">MD5digest</span></h2> <p> From RFC1321 … <p> " The [MD5] algorithm takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input. It is conjectured that it is computationally infeasible to produce two messages having the same message digest, or to produce any message having a given prespecified target message digest. " <p> The MD5DIGEST utility is primarily provided with WASD for verifying kits as unchanged from the originals released. With the proliferation of mirror sites and other distribution resources it has become good practice to ensure kits remain unchanged from release, to distribution, to installation site (changes due to to data corruption or malicious intent - as remote a possibility as that may seem). Of course it may also be used for any other purpose where the MD5 hash is useful. <p> For verifying the contents of a WASD release connect to the <span class="high bold">original</span> WASD distribution site, refer to the download page, and make a comparison between the release MD5 hash found against the list of all archive hashes and the MD5 hash of your archive. That can be done as follows <div class="blockof code">$ MD5DIGEST == "$WASD_EXE:MD5DIGEST" $ MD5DIGEST device:[dir]archive.ZIP </div> The result will look similar to <div class="blockof code">MD5 (kits:[000000]htroot710.zip;1) = 404bbdfe0f847c597b034feef2d13d2d </div> <p> Of course, if you have not yet installed your first WASD distribution using the MD5DIGEST utility that is part of it is not feasable. The original site can provide kits and pre-built executables for this purpose. <a id="13.11" href="#"></a> <a id="13.11.qdlogstats" href="#"></a> <a id="qdlogstats" href="#"></a> <h2 class="head"><span class="numb">13.11</span><span class="text">QDLogStats</span></h2> <p> <span class="high bold">Quick-and-Dirty LOG STATisticS</span> is a utility to extract very elementary statistics from Web server common/combined format log files. It is intended for those moments when we think "I wonder how many times that new archive has been downloaded?", "How much data was transfered during November?", "How often is <span class="high italic">such-and-such</span> a client using the authenticated <span class="high italic">so-and-so</span> service?", "How much has the mail service been used?" … and want the results in a matter of seconds (or at least a few tens of seconds ;-) It is available at the command-line and as a CGI script. <a class="imglink" target="_blank" href="./qdlogstats.png"><img class="image" src="./qdlogstats.png"></a> <p> For QDLOGSTATS to be available as a CGI script it <span class="high bold">must</span> have authorization enabled against it (to prevent potential ad hoc browsing of a site's logs). The following provides some indication of this configuration, although of course it requires tailoring for any given site. <div class="blockof code">[VMS] /cgi-bin/qdlogstats ~webadmin,131.185.250.*,r+w ; </div> <p> It could then be accessed using <div class="blockof code">http://the.host.name/cgi-bin/qdlogstats </div> <p> The initial access provides a form allowing the various filters and other behaviours to be selected. The CGI form basically parallels the command-line behaviour described below. <a id="13.11.0.0.1" href="#"></a> <a id="13.11.filters" href="#"></a> <a id="filters" href="#"></a> <h5 class="head"><span class="text">Filters</span></h5> <p> A number of filters allow subsets of the log contents to be selected. These filters support the same string matching expressions as the server (see <a class="link blank" target="_blank" href="../config/#stringmatching">String Matching</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <p> A knowlege of the format and contents of the <span class="high italic">common</span> and <span class="high italic">combined</span> log formats will assist in deciding which and to what purpose filters should be used. Record filtering is done in the same order as is finally displayed, so <span class="high italic">method</span> would be processed before <span class="high italic">user-agent</span> for instance. Normally a record match terminates on the first non-matched filter (to expedite processing). To compare and report each filter for every record apply the /ALL qualifier. To view records as they are processed use the /VIEW qualifier. This by default displays all matched records, but the optional =ALL or =NOMATCH parameters will display all records, or all those but the matches. <p> <span class="high bold"> QDLOGSTATS log-file-spec [pattern qualifiers] [other qualifiers]</span> <a id="13.11.0.0.2" href="#"></a> <a id="13.11.parametersandqualifiers" href="#"></a> <a id="parametersandqualifiers" href="#"></a> <h5 class="head"><span class="text">Parameters and Qualifiers</span></h5> <table class="tabl"> <tr class="tabr under"> <th class="tabh">Parameter <th class="tabh">Description <tr class="tabr"> <tr class="tabr backlight"> <td class="tabd">/ALL <td class="tabd">compare and report on all supplied filters <tr class="tabr"> <td class="tabd">/AUTHUSER= <td class="tabd">pattern (any authenticated username) <tr class="tabr backlight"> <td class="tabd">/BEFORE= <td class="tabd">log files before this VMS date/time <tr class="tabr"> <td class="tabd">/CLIENT= <td class="tabd">pattern (client host name or IP address) <tr class="tabr backlight"> <td class="tabd">/DATETIME= <td class="tabd">pattern ("11/Jun/1999:14:08:49 +0930") <tr class="tabr"> <td class="tabd">/DECODE[=<span class="high italic">keyword</span>] <td class="tabd">URL-decode PATH, QUERY, REFERER before match <tr class="tabr backlight"> <td class="tabd">/METHOD= <td class="tabd">pattern (HTTP "GET", "POST", etc.) <tr class="tabr"> <td class="tabd">/OUTPUT= <td class="tabd">file specification <tr class="tabr backlight"> <td class="tabd">/PATH= <td class="tabd">pattern (URL path component only) <tr class="tabr"> <td class="tabd">/PROGRESS <td class="tabd">show progress during processing; a "+" for each file started, a "." for each 1000 records processed <tr class="tabr backlight"> <td class="tabd">/QUERY= <td class="tabd">pattern (URL query component only) <tr class="tabr"> <td class="tabd">/REFERER= <td class="tabd">pattern (HTTP "Referer:" field, COMBINED only) <tr class="tabr backlight"> <td class="tabd">/REMOTEID= <td class="tabd">pattern (RFC819 file) <tr class="tabr"> <td class="tabd">/RESPONSE= <td class="tabd">pattern (HTTP response code) <tr class="tabr backlight"> <td class="tabd">/SINCE= <td class="tabd">log files after this VMS date/time <tr class="tabr"> <td class="tabd">/SIZE[=<span class="high italic">keyword</span>] <td class="tabd">response size (in bytes) MIN=<span class="high italic">integer</span> MAX=<span class="high italic">integer</span> <tr class="tabr backlight"> <td class="tabd">/USERAGENT= <td class="tabd">pattern (HTTP "User-Agent:" field, COMBINED only) <tr class="tabr"> <td class="tabd">/VIEW[=type] <td class="tabd">display matching log records (ALL, NOMATCH, MATCH) </table> <a id="13.11.0.0.3" href="#"></a> <a id="13.11.usageexamples" href="#"></a> <a id="usageexamples" href="#"></a> <h5 class="head"><span class="text">Usage Examples</span></h5> <ul class="list"> <li class="item"> Records from September 1999. <div class="blockof code">$ QDLOGSTATS WASD_LOGS:*1999*.LOG /DATE="*/SEP/1999*" </div> <li class="item"> Records where the browser was an X-based Netscape Navigator <div class="blockof code">$ QDLOGSTATS WASD_LOGS:*.LOG /USERAGENT=*MOZILLA*X11* </div> <li class="item"> Records of POST method requests <div class="blockof code">$ QDLOGSTATS WASD_LOGS:*.LOG /METHOD=POST </div> <li class="item"> Records requesting a particular path <div class="blockof code">$ QDLOGSTATS WASD_LOGS:*.LOG /PATH="/cgi-bin/*" </div> <li class="item"> Select proxy records requesting (a) particular site(s) <div class="blockof code">$ QDLOGSTATS WASD_LOGS:*8080*.LOG /PATH="http://*.compaq.com*" $ QDLOGSTATS WASD_LOGS:*8080*.LOG /METHOD=POST /PATH="http://*sex*.*/*" /VIEW </div> <li class="item"> Records where the request was authenticated <div class="blockof code">$ QDLOGSTATS WASD_LOGS:*.LOG /AUTHUSER=DANIEL </div> </ul> <a id="13.12" href="#"></a> <a id="13.12.sechanutility" href="#"></a> <a id="sechanutility" href="#"></a> <h2 class="head"><span class="numb">13.12</span><span class="text">SECHAN Utility</span></h2> <p> The SECHAN utility (pronounced "session") is used by [INSTALL]SECURE.COM and associated procedures to make file system security settings. It is also available for direct use by the site administrator. See <a class="link blank" target="_blank" href="../config/#securityconsiderations">Security Considerations</a> of <a class="link blank" target="_blank" href="../config/#0.">WASD Configuration</a>). <a id="13.13" href="#"></a> <a id="13.13.streamlfutility" href="#"></a> <a id="streamlfutility" href="#"></a> <h2 class="head"><span class="numb">13.13</span><span class="text">StreamLF Utility</span></h2> <p> This simple procedure used the FDL facility to convert files to STREAM_LF format. The WASD HTTPd server access STREAM_LF files in block/IO-mode, far more efficiently that the record-mode required by variable-record format files. <p> <span class="high bold">NOTE: </span> The server can also be configured to automatically convert any VARIABLE record format files it encounters to STREAM_LF. <a id="13.14" href="#"></a> <a id="13.14.wasteeutility" href="#"></a> <a id="wasteeutility" href="#"></a> <h2 class="head"><span class="numb">13.14</span><span class="text">WAStee Utility</span></h2> <p> WAStee is a utility to generate time-stamped log files containing intervals of a long-lived WASD server process, and/or to consolidate all process log files generated during the defined period. It is the tee in a PIPE sequence. <p> This utility is UNSUITABLE for sites using multiple instances and/or environments on a node. Only the first of multiple server processes will have the log teed. <p> For further information check the descriptive prologue in the <a class="link blank" target="_blank" href="/wasd_root/src/utils/wastee.c">WASD_ROOT:[SRC.UTILS]WASTEE.C</a> source code. <a id="13.15" href="#"></a> <a id="13.15.wotsuputility" href="#"></a> <a id="wotsuputility" href="#"></a> <h2 class="head"><span class="numb">13.15</span><span class="text">WOTSUP Utility</span></h2> <p> The "WASD Over-The-Shoulder Uptime Picket" is designed to monitor WASD in a production environment for the purpose of alerting operations staff to conditions which might cause that production to be adversely impacted. <p> Alert triggers include: <ul class="list list0"> <li class="item"> server image exit and/or startup (default) <li class="item"> server process non-existent or suspended (default) <li class="item"> percentage thresholds on process quotas (optional) <li class="item"> rates of HTTP status counter change (optional) <li class="item"> maximum period without request processing (optional) </ul> <p> Alert reports can be delivered via any combination of: <ul class="list list0"> <li class="item"> OPCOM message <li class="item"> MAIL <li class="item"> site-specific DCL command executed in a spawned subprocess <li class="item"> log file entry </ul> <p> The utility runs in a detached process and monitors the server environment by periodically polling various server data at a default interval is 15 seconds. As the utility requires access to global memory accounting a per-system WOTSUP is required for each node to be monitored. <p> The following (somewhat contrived) example illustrates the format and content of a WOTSUP report delivered via OPCOM. Reports delivered via other mechanisms have the same content and similar format. <div class="blockof code">%%%%%%%%%% WOTSUP 24-OCT-2006 13:32:56.44 %%%%%%%%%%% Message from user SYSTEM on KLAATU Over-The-Shoulder (WASD_WOTSUP) reports: 1. server PID 001C0950 exit %X00000001 (%SYSTEM-S-NORMAL) 2. server STARTUP (10) 3. server PIDs are 0018C14F (HTTPd:80), 001C0950 (HTTPe:80) 4. pagfilcnt:395432 pgflquota:500000 79% <= 80% </div> <p> For further information check the descriptive prologue in the <a class="link blank" target="_blank" href="/wasd_root/src/utils/wotsup.c">WASD_ROOT:[SRC.UTILS]WOTSUP.C</a> source code. <!-- source:1400_INDEX.WASDOC --> <hr class="page"> <a id="14." href="#"></a> <a id="14.index" href="#"></a> <a id="index" href="#"></a> <h1 class="head"><span class="numb">14.</span><span class="text">Index</span></h1> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#13.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a href="#15.">↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <div class="IDXcols2"> <table class="IDXtable"> <tr><td class="alpha">A</td><td class="text"><a href="#0.abstract">‘Abstract’ in WASD Features and Facilities</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.1.accessbeforeconfiguration">9.1 Access Before Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.2.accessconfiguration">9.2 Access Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.accesscontrol">‘Access Control’ in 2. Package Overview</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.5.accessfiltering">‘Access Filtering’ in 7.1.5 Controlling Proxy Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.4.accessrestrictionkeywords">‘Access Restriction Keywords’ in 3.4 Authorization Configuration File</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.1.accounting">9.7.1 Accounting</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.1.acme">3.10.1 ACME</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.7.addinganumbersignquotquottothewebfolderaddress">6.6.7 Adding a number-sign ("#") to the webfolder-address</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.6.addingaportnumbertothewebfolderaddress">6.6.6 Adding a port number to the webfolder-address</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.administration">‘Administration’ in 2. Package Overview</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.2.afterreceivingthecertificate">‘After Receiving The Certificate’ in 4.6.2 Certificate Signing Request</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.2.alignmentfaults">9.7.2 Alignment Faults</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.2.allopenssl102andearlier">‘All OpenSSL 1.0.2 and earlier’ in 4.2 TLS/SSL Functionality Sources</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.5.alternativeusingprofile">‘Alternative Using /PROFILE’ in 9.5 HTTPd Server Revise</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.apachecomparison">‘Apache Comparison’ in 11. Server Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.apachelicenseversion20">‘Apache License, Version 2.0’ in WASD Features and Facilities</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.2.asofwasdv120cachingisobsolete">‘As of WASD v12.0 Caching is OBSOLETE’ in 7.2 Proxy Cache</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.8.athome">‘At Home’ in 4.8 SSL Service Evaluation</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.attributionandacknowledgement">15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.3.authentication">9.7.3 Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.authenticationandauthorization">3. Authentication and Authorization</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.16.authenticationcache">‘Authentication Cache’ in 3.16 Cancelling Authorization</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.2.authenticationcacheandrevalidation">‘Authentication Cache and Revalidation’ in 3.2 Authentication Policy</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.2.authenticationfailures">‘Authentication Failures’ in 3.2 Authentication Policy</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.2.authenticationpolicy">3.2 Authentication Policy</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.authenticationsources">3.5 Authentication Sources</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.authorizationcache">3.9 Authorization Cache</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.8.authorizationconfigurationexamples">3.8 Authorization Configuration Examples</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.4.authorizationconfigurationfile">3.4 Authorization Configuration File</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.12.authorizationusingx509certification">4.5.12 Authorization Using X.509 Certification</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.1.authorizationverification">‘Authorization Verification’ in 7.6.1 Reverse Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.8.2.automatic">7.8.2 Automatic</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.2.avoidquotinterestingquotfilenames">‘Avoid "Interesting" File Names’ in 6.2.2 File Naming</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.3.avoidingmicrosoftpropertyclutter">6.6.3 Avoiding Microsoft Property Clutter</a> <tr><td class="alpha">B</td><td class="text"><a href="#11.benchmarksetup">‘Benchmark Setup’ in 11. Server Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.bjoumlernhoumlehrmann">‘Bjöern Höehrmann’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.8.browserproxyconfiguration">7.8 Browser Proxy Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.16.byresource">‘By Resource’ in 4.5.16 X509 Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.16.byservice">‘By Service’ in 4.5.16 X509 Configuration</a> <tr><td class="alpha">C</td><td class="text"><a href="#9.7.4.cache">9.7.4 Cache</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.6.calogs">13.6 CALogs</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.16.cancellingauthorization">3.16 Cancelling Authorization</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.caution">‘Caution’ in 6. WebDAV</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.5.caution">‘CAUTION’ in 3.10.5 VMS Account Proxying</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.17.certificateauthorityverificationfile">4.5.17 Certificate Authority Verification File</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.certificatemanagement">4.6 Certificate Management</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.2.certificatesigningrequest">4.6.2 Certificate Signing Request</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.4.chainauthorization">‘Chain Authorization’ in 7.1.4 Proxy Chaining</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.5.chainpassword">‘Chain Password’ in 7.1.5 Controlling Proxy Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.3.chainingfirewall">‘Chaining FIREWALL’ in 7.7.3 [ServiceProxyTunnel] FIREWALL</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.2.chainingraw">‘Chaining RAW’ in 7.7.2 [ServiceProxyTunnel] RAW</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.1.changingservercertificates">‘Changing Server Certificates’ in 4.6.1 Server Certificate</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.clarkcooperetal">‘Clark Cooper, et.al.’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.7.clienttools">‘Client Tools’ in 6.7 References</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.codemodules">‘Code Modules’ in 10.2 Event Categories</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.6.commandlineuse">10.6 Command-Line Use</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.7.complexprivatetunneling">7.7.7 Complex Private Tunneling</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.concurrency1">‘Concurrency 1’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.concurrency1">‘Concurrency 1’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.concurrency1">‘Concurrency 1’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.2.concurrency1requestssecond">‘Concurrency 1 - Requests/Second’ in 11.2 Scripting</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.concurrency10">‘Concurrency 10’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.concurrency10">‘Concurrency 10’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.concurrency10">‘Concurrency 10’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.2.concurrency10requestssecond">‘Concurrency 10 - Requests/Second’ in 11.2 Scripting</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.5.concurrentauthorisation">6.2.5 Concurrent Authorisation</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.11.configuration">‘Configuration’ in 3.11 Token Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.3.configuration">8.1.3 Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.6.configurationactionsection">‘Configuration Action Section’ in 9.6 HTTPd Server Action</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.5.configurationcheck">9.7.5 Configuration Check</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.3.connectserving">7.3 CONNECT Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.2.considerations">8.1.2 Considerations</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.6.controlsection">‘Control Section’ in 9.6 HTTPd Server Action</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.3.2.controllingconnectserving">7.3.2 Controlling CONNECT Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.5.controllingproxyserving">7.1.5 Controlling Proxy Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.13.controllingserverwriteaccess">3.13 Controlling Server Write Access</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.1.copyrestrictions">6.1.1 COPY Restrictions</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.cryptographysoftware">‘Cryptography Software’ in 4. Transport Layer Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.7.cspreporter">13.7 CSPreport[er]</a> <tr><td class="alpha">D</td><td class="text"><a href="#11.1.dataratembytessecond">‘Data Rate - MBytes/Second’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.6.dclscriptingprocesses">9.7.6 DCL/Scripting Processes</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.7.decnetscriptingconnections">9.7.7 DECnet Scripting Connections</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.2.deleterestrictions">6.1.2 DELETE Restrictions</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.4.deprecatedanddiscouraged">‘Deprecated and Discouraged’ in 3.10.4 WASD "Hard-Wired" Identifiers</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.3.directorymetadata">‘Directory Metadata’ in 6.3 WebDAV Metadata</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.4.dnswildcardproxy">7.6.4 DNS Wildcard Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.5.3.dreamweaver">6.5.3 Dreamweaver</a> <tr><td class="alpha">E</td><td class="text"><a href="#13.1.echofacility">13.1 Echo Facility</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.1.enablingaproxyservice">7.1.1 Enabling A Proxy Service</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.3.1.enablingconnectserving">7.3.1 Enabling CONNECT Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.5.enablingserveraccess">‘Enabling Server Access’ in 9.5 HTTPd Server Revise</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.4.enablingsocks5proxy">‘Enabling SOCKS5 Proxy’ in 7.4 SOCKS Version 5</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.5.enablingssl">‘Enabling SSL’ in 7.6.5 Originating SSL</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.4.encryptedtunnel">7.7.4 Encrypted Tunnel</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.5.encryptedtunnelwithauthentication">7.7.5 Encrypted Tunnel With Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.11.error0x800700dfthefilesizeexceedsthelimitallowedandcannotbesaved">6.6.11 Error 0x800700DF: The file size exceeds the limit allowed and cannot be saved</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.errormessages">‘Error Messages’ in 7. Proxy Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.eventcategories">10.2 Event Categories</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.7.exampleinaction">‘Example In Action’ in 7.7.7 Complex Private Tunneling</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.12.examples">‘Examples’ in 3.12 Skeleton-Key Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.3.examples">‘Examples’ in 10.3 Request Filtering</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.15.extensionvisibility">‘Extension Visibility’ in 4.5.15 Subject Alternative Name and Other Extensions</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.7.externalmapping">‘External Mapping’ in 7.7.7 Complex Private Tunneling</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.7.externalservices">‘External Services’ in 7.7.7 Complex Private Tunneling</a> <tr><td class="alpha">F</td><td class="text"><a href="#8.1.1.failthrough">‘Fail-Through’ in 8.1.1 VMS Clustering Comparison</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.14.features">4.5.14 Features</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.2.filenameambiguity">‘File Name Ambiguity’ in 6.2.2 File Naming</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.2.filenaming">6.2.2 File Naming</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.filerecordformat">‘File Record Format’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.filetransferrate">‘File Transfer Rate’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.3.filesystemaccess">6.2.3 File-system Access</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.4.filesystemauthorisation">6.2.4 File-system Authorisation</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.11.filters">‘Filters’ in 13.11 QDLogStats</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.8.forcewindowsxptousebasicauthentication">6.6.8 Force Windows XP to use Basic Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.5.forwardsecrecy">4.5.5 Forward Secrecy</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.freesoftwarefoundation">‘Free Software Foundation’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.2.frontpageextensions">6.6.2 FrontPage Extensions</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.5.ftpproxyserving">7.5 FTP Proxy Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.5.1.ftpquerystringkeywords">7.5.1 FTP Query String Keywords</a> <tr><td class="alpha">G</td><td class="text"><a href="#7.6.gatewayingusingproxy">7.6 Gatewaying Using Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.general">‘General’ in 2. Package Overview</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.general">‘General’ in 10.2 Event Categories</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.16.generalsetup">‘General Setup’ in 4.5.16 X509 Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.1.globalconfiguration">5.3.1 Global Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.5.2.gnomegvfsnautilus">6.5.2 Gnome/gvfs/Nautilus</a> <tr><td class="alpha">H</td><td class="text"><a href="#9.7.8.hhelppp">9.7.8 Hhelppp!</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.2.hissfacility">13.2 Hiss Facility</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.8.htadmin">13.8 HTAdmin</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.3.httpmethods">‘HTTP Methods’ in 3.3 Permissions, Path and User</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.httpmethodssupported">6.1 HTTP Methods Supported</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.httpproxyserving">7.1 HTTP Proxy Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.2.httpreport">‘HTTP Report’ in 5.2 HTTP/2 and Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.http11clear">‘HTTP/1.1 clear’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.http11encrypted">‘HTTP/1.1 encrypted’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.http2">5. HTTP/2</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.http2encrypted">‘HTTP/2 (encrypted)’ in 11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.2.http2andperformance">5.2 HTTP/2 and Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.1.http2andwatch">‘HTTP/2 and WATCH’ in 5.1 WASD HTTP/2</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.http2configuration">5.3 HTTP/2 Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.9.http2connection">9.7.9 HTTP/2 Connection</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.4.http2detection">5.4 HTTP/2 Detection</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.1.http2globalconfiguration">‘HTTP/2 Global Configuration’ in 5.3.1 Global Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.5.http2references">5.5 HTTP/2 References</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.3.http2setrules">5.3.3 HTTP/2 Set Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.httpdcommandline">9.7 HTTPd Command Line</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.9.httpdmonitor">13.9 HTTPd Monitor</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.6.httpdserveraction">9.6 HTTPd Server Action</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.4.httpdserverreports">9.4 HTTPd Server Reports</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.5.httpdserverrevise">9.5 HTTPd Server Revise</a> <tr><td class="alpha"> </td><td class="text"><a href="#12.httpdwebupdate">12. HTTPd Web Update</a> <tr><td class="alpha">I</td><td class="text"><a href="#6.1.4.ifrestrictions">6.1.4 If: Restrictions</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.9.implication">‘Implication’ in 3.9 Authorization Cache</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.12.important">‘Important’ in 4.5.12 Authorization Using X.509 Certification</a> <tr><td class="alpha"> </td><td class="text"><a href="#14.index">14. Index</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.11.instancestatus">9.7.11 Instance Status</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.10.instances">9.7.10 Instances</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.instancesandenvironments">8. Instances and Environments</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.7.internalmapping">‘Internal Mapping’ in 7.7.7 Complex Private Tunneling</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.7.internalservices">‘Internal Services’ in 7.7.7 Complex Private Tunneling</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.4.internationalfeatures">2.4 International Features</a> <tr><td class="alpha"> </td><td class="text"><a href="#1.introduction">1. Introduction</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.2.isitallworthitnbspnbspasmightbeexpectedndashthatdepends">‘Is it all worth it? As might be expected – that depends.’ in 5.2 HTTP/2 and Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.1.itsfairtosayhellip">‘It's fair to say…’ in 5.1 WASD HTTP/2</a> <tr><td class="alpha">K</td><td class="text"><a href="#3.8.1.kiss">3.8.1 KISS</a> <tr><td class="alpha">L</td><td class="text"><a href="#7.5.2.quotloginquotkeyword">7.5.2 "login" Keyword</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.1.letsencrypt">4.1 Let's Encrypt</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.1.letsencrypt">‘Let's Encrypt’ in 4.6.1 Server Certificate</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.license">‘License’ in WASD Features and Facilities</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.licensedundertheapachelicenseversion20">‘Licensed under the Apache License, Version 2.0’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.1.loadsharing">‘Load Sharing’ in 8.1.1 VMS Clustering Comparison</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.1.loadingauthoritycertificates">‘Loading Authority Certificates’ in 4.6.1 Server Certificate</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.5.localpassword">‘Local Password’ in 7.1.5 Controlling Proxy Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.4.lockdepth0">‘Lock Depth 0’ in 6.4 WebDAV Locking</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.4.lockingdepth">‘Locking Depth’ in 6.4 WebDAV Locking</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.4.lockingtimeout">‘Locking Timeout’ in 6.4 WebDAV Locking</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.12.logging">9.7.12 Logging</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.2.logontype">3.10.2 Logon Type</a> <tr><td class="alpha">M</td><td class="text"><a href="#7.8.1.manual">7.8.1 Manual</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.13.mapping">9.7.13 Mapping</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.1.mapping">6.6.1 Mapping</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.10.md5digest">13.10 MD5digest</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.3.metadatafiles">‘Metadata Files’ in 6.3 WebDAV Metadata</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.3.metadatashouldnotbeeditedmanually">‘Metadata should not be edited manually ...’ in 6.3 WebDAV Metadata</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.3.metadataxml">‘Metadata XML’ in 6.3 WebDAV Metadata</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.1.method">‘Method’ in 9.1 Access Before Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.3.microsoftmetadata">‘Microsoft Metadata’ in 6.3 WebDAV Metadata</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.microsoftmiscellanea">6.6 Microsoft Miscellanea</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.10.microsoftwindows7basicauthentication">6.6.10 Microsoft Windows 7 BASIC Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.9.microsoftxpexplorerbasicauthentication">6.6.9 Microsoft XP Explorer BASIC Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.1.3.moverestrictions">6.1.3 MOVE Restrictions</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.muchofthisisprewindows10">‘much of this is pre- Windows 10’ in 6.6 Microsoft Miscellanea</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.multiserverclusterwide">‘Multi-Server/Cluster-Wide’ in 9.7 HTTPd Command Line</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.multiplesourcetypes">‘Multiple Source Types’ in 3.5 Authentication Sources</a> <tr><td class="alpha">N</td><td class="text"><a href="#9.7.needittobejogged">‘Need it to be jogged?’ in 9.7 HTTPd Command Line</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.network">‘Network’ in 10.2 Event Categories</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.14.networkconnection">9.7.14 Network Connection</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.6.nilaccessvmsaccounts">3.10.6 Nil-Access VMS Accounts</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.noneofthefollowinglicensingappearsincompatiblewiththeapachelicense">‘None of the following licensing appears incompatible with the Apache License’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.notreallyanendorsementbut">‘not really an endorsement but’ in 4.6 Certificate Management</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.5.note">‘Note’ in 4.5.5 Forward Secrecy</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.5.note">‘Note’ in 4.5.5 Forward Secrecy</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.note">‘Note’ in 3.5 Authentication Sources</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.2.note">‘Note’ in 7.6.2 Proxy Rework</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.2.note">‘Note’ in 7.6.2 Proxy Rework</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.4.note">‘Note’ in 7.6.4 DNS Wildcard Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.8.note">‘Note’ in 7.7.8 Tunnelling Source</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.15.note">‘Note’ in 3.15 User Password Modification</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.12.note">‘Note’ in 3.12 Skeleton-Key Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.8.note">‘Note’ in 3.10.8 SYSUAF Security Profile</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.note">‘Note’ in 10.5 Usage Suggestions</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.5.note">‘Note’ in 7.1.5 Controlling Proxy Serving</a> <tr><td class="alpha">O</td><td class="text"><a href="#1.objectives">‘Objectives’ in 1. Introduction</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.ohiostateuniversity">‘Ohio State University’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.3.oneshotproxy">7.6.3 One-Shot Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.onlinesearch">‘Online Search’ in WASD Features and Facilities</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.3.openssloptions">‘OpenSSL Options’ in 4.5.3 SSL Ciphers</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.opensslproject">‘OpenSSL Project’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.4.opensslexeapplication">4.4 OPENSSL.EXE Application</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.4.optionsheaderquotmsauthorviadavquot">6.6.4 OPTIONS header "MS-Author-Via: DAV"</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.5.originatingssl">7.6.5 Originating SSL</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.5.1.osxfinder">6.5.1 OS X Finder</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.osucomparison">‘OSU Comparison’ in 11. Server Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.other">‘Other’ in 10.2 Event Categories</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.2.otherassessment">‘Other Assessment’ in 5.2 HTTP/2 and Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.overview">‘Overview’ in 3. Authentication and Authorization</a> <tr><td class="alpha">P</td><td class="text"><a href="#2.packageoverview">2. Package Overview</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.11.parametersandqualifiers">‘Parameters and Qualifiers’ in 13.11 QDLogStats</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.8.parametersandqualifiers">‘Parameters and Qualifiers’ in 13.8 HTAdmin</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.6.parametersandqualifiers">‘Parameters and Qualifiers’ in 13.6 CALogs</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.15.passwordexpiry">‘Password Expiry’ in 3.15 User Password Modification</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.paulejones">‘Paul E. Jones’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.2.performanceassessment">‘Performance Assessment’ in 5.2 HTTP/2 and Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.8.performanceimpact">‘Performance Impact’ in 3.10.8 SYSUAF Security Profile</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.3.permissionspathanduser">3.3 Permissions, Path and User</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.2.persistentscripting">‘Persistent Scripting’ in 11.2 Scripting</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.proxy">‘Proxy’ in 10.2 Event Categories</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.2.proxyaffinity">7.1.2 Proxy Affinity</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.3.proxybind">7.1.3 Proxy Bind</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.2.proxycache">7.2 Proxy Cache</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.2.proxycacheisobsolete">‘Proxy Cache is OBSOLETE’ in 7.2 Proxy Cache</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.4.proxychaining">7.1.4 Proxy Chaining</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.proxyerrormessages">‘Proxy Error Messages’ in 7. Proxy Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.5.proxypassword">‘Proxy Password’ in 7.1.5 Controlling Proxy Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.2.proxyrework">7.6.2 Proxy Rework</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.proxyservices">7. Proxy Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.proxyservingquickstart">‘Proxy Serving Quick-Start’ in 7. Proxy Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.2.proxymungeutility">‘proxyMUNGE Utility’ in 7.6.2 Proxy Rework</a> <tr><td class="alpha">Q</td><td class="text"><a href="#13.11.qdlogstats">13.11 QDLogStats</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.8.qualysssllab">‘Qualys SSL Lab’ in 4.8 SSL Service Evaluation</a> <tr><td class="alpha">R</td><td class="text"><a href="#6.2.6.realworldexample">6.2.6 Real-World Example</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.5.realmdescription">‘Realm Description’ in 3.5 Authentication Sources</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.6.realmfullaccessreadonly">3.6 Realm, Full-Access, Read-Only</a> <tr><td class="alpha"> </td><td class="text"><a href="#1.reasonsforyetanotherwebpackage">‘Reasons For Yet Another Web Package’ in 1. Introduction</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.1.redirectionlocationfield">‘Redirection Location Field’ in 7.6.1 Reverse Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.7.references">6.7 References</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.6.5.repairingbrokenxpwebfolders">6.6.5 Repairing broken XP Web Folders</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.4.reportformat">10.4 Report Format</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.request">‘Request’ in 10.2 Event Categories</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.3.requestfiltering">10.3 Request Filtering</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.5.requestmodification">‘Request Modification’ in 7.1.5 Controlling Proxy Serving</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.requestredirect">‘Request Redirect’ in 7.6 Gatewaying Using Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.4.reservednames">‘Reserved Names’ in 3.4 Authorization Configuration File</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.4.reservedusername">‘Reserved Username’ in 3.4 Authorization Configuration File</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.2.response">‘Response’ in 10.2 Event Categories</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.1.restart">‘Restart’ in 8.1.1 VMS Clustering Comparison</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.6.1.reverseproxy">7.6.1 Reverse Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.3.rightsidentifiers">3.10.3 Rights Identifiers</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.rsadatasecurity">‘RSA Data Security’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.1.ruleinterpretation">3.1 Rule Interpretation</a> <tr><td class="alpha">S</td><td class="text"><a href="#2.scripting">‘Scripting’ in 2. Package Overview</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.2.scripting">11.2 Scripting</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.12.sechanutility">13.12 SECHAN Utility</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.16.securesocketslayer">9.7.16 Secure Sockets Layer</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.14.securingallrequests">3.14 Securing All Requests</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.1.selfsignedcertificates">‘Self-Signed Certificates’ in 4.6.1 Server Certificate</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.serveradministration">9. Server Administration</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.1.serverbehaviour">2.1 Server Behaviour</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.6.1.servercertificate">4.6.1 Server Certificate</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.4.serverclisysplus">‘Server CLI /SYSPLUS’ in 9.4 HTTPd Server Reports</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.2.serverenvironments">8.2 Server Environments</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.1.serverinstances">10.1 Server Instances</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.3.serverinstances">9.3 Server Instances</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.serverinstances">8.1 Server Instances</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.serverlogannotation">‘Server Log Annotation’ in 9.7 HTTPd Command Line</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.serverperformance">11. Server Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.3.2.serviceconfiguration">5.3.2 Service Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.6.sessionresumption">4.5.6 Session Resumption</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.7.setpathsslcgiapachemodssl">‘set /path/* SSLCGI=apache_mod_ssl’ in 4.7 SSL CGI Variables</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.6.sharedsshtunnel">7.7.6 Shared SSH Tunnel</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.1.shouldacmebeunavailable">‘Should ACME be unavailable’ in 3.10.1 ACME</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.15.shutdownandrestart">9.7.15 Shutdown and Restart</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.1.simplefilerequestturnaround">11.1 Simple File Request Turn-Around</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.12.skeletonkeyauthentication">3.12 Skeleton-Key Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.4.socksversion5">7.4 SOCKS Version 5</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.somethoughtsfromrsengelschall">‘Some Thoughts From R. S. Engelschall’ in 4. Transport Layer Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.5.somewrinkles">6.5 Some Wrinkles</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.8.sortdetails">‘Sort Details’ in 13.8 HTAdmin</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.11.sslaccesscontrol">4.5.11 SSL Access Control</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.7.sslcgivariables">4.7 SSL CGI Variables</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.3.sslciphers">4.5.3 SSL Ciphers</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.sslconfiguration">4.5 SSL Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.3.ssloptions">‘SSL Options’ in 4.5.3 SSL Ciphers</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.9.sslprivatekey">4.5.9 SSL Private Key</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.9.sslreferences">4.9 SSL References</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.8.sslservercertificate">4.5.8 SSL Server Certificate</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.8.sslserviceevaluation">4.8 SSL Service Evaluation</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.2.ssltoraw">‘SSL to RAW’ in 7.7.2 [ServiceProxyTunnel] RAW</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.2.sslversions">‘SSL Versions’ in 4.5.2 TLS/SSL Versions</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.10.sslvirtualservices">4.5.10 SSL Virtual Services</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.4.status">8.1.4 Status</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.3.streamfacility">13.3 Stream Facility</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.13.streamlfutility">13.13 StreamLF Utility</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.7.stricttransportsecurity">4.5.7 Strict Transport Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.1.stringmatching">‘String Matching’ in 3.1 Rule Interpretation</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.stuartlangridge">‘Stuart Langridge’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.15.subjectalternativenameandotherextensions">4.5.15 Subject Alternative Name and Other Extensions</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.sureanoldclunker">‘Sure, an old clunker’ in 11. Server Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.4.systemreportplus">‘System Report PLUS’ in 9.4 HTTPd Server Reports</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.7.sysuafandssl">3.10.7 SYSUAF and SSL</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.9.sysuafprofileforfullsiteaccess">3.10.9 SYSUAF Profile For Full Site Access</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.8.sysuafsecurityprofile">3.10.8 SYSUAF Security Profile</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.sysuafauthenticatedusers">3.10 SYSUAF-Authenticated Users</a> <tr><td class="alpha">T</td><td class="text"><a href="#0.tableofcontent">‘Table of Content’ in WASD Features and Facilities</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.tatsuhirotsujikawa">‘Tatsuhiro Tsujikawa’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.3.tcpippackages">2.3 TCP/IP Packages</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.8.testtlsversion13">‘test TLS Version 1.3’ in 4.8 SSL Service Evaluation</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.thesearev115results">‘These Are v11.5 Results’ in 11. Server Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#11.theseresultsareindicativeonly">‘These results are indicative only!’ in 11. Server Performance</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.17.throttle">9.7.17 Throttle</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.tlsandssl">‘TLS and SSL’ in 4. Transport Layer Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.tlsfunctionalityisnotsuppliedwiththebasicwasdpackage">‘TLS functionality is not supplied with the basic WASD package’ in 4. Transport Layer Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.8.tlsversion13">‘TLS Version 1.3’ in 4.8 SSL Service Evaluation</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.2.tlsversion13">‘TLS Version 1.3’ in 4.5.2 TLS/SSL Versions</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.2.tlssslfunctionalitysources">4.2 TLS/SSL Functionality Sources</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.3.tlsssloptions">‘TLS/SSL Options’ in 4.5.3 SSL Ciphers</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.2.tlssslversions">4.5.2 TLS/SSL Versions</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.11.tokenauthentication">3.11 Token Authentication</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.transportlayersecurity">4. Transport Layer Security</a> <tr><td class="alpha"> </td><td class="text"><a href="#1.1.troubleshooting">1.1 Troubleshooting?</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.tunnelingusingproxy">7.7 Tunneling Using Proxy</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.7.8.tunnellingsource">7.7.8 Tunnelling Source</a> <tr><td class="alpha">U</td><td class="text"><a href="#12.updateaccesspermission">‘Update Access Permission’ in 12. HTTPd Web Update</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.6.usageexamples">‘Usage Examples’ in 13.6 CALogs</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.8.usageexamples">‘Usage Examples’ in 13.8 HTAdmin</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.11.usageexamples">‘Usage Examples’ in 13.11 QDLogStats</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.5.usagesuggestions">10.5 Usage Suggestions</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.15.userpasswordmodification">3.15 User Password Modification</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.2.useshttpcookies">‘Uses HTTP Cookies’ in 7.1.2 Proxy Affinity</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.4.usinginstancestatus">‘Using Instance Status’ in 8.1.4 Status</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.utilitiesandfacilities">13. Utilities and Facilities</a> <tr><td class="alpha">V</td><td class="text"><a href="#3.7.virtualservers">3.7 Virtual Servers</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.5.vmsaccountproxying">3.10.5 VMS Account Proxying</a> <tr><td class="alpha"> </td><td class="text"><a href="#8.1.1.vmsclusteringcomparison">8.1.1 VMS Clustering Comparison</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.4.vmsdlmlocking">‘VMS DLM Locking’ in 6.4 WebDAV Locking</a> <tr><td class="alpha"> </td><td class="text"><a href="#2.2.vmsversions">2.2 VMS Versions</a> <tr><td class="alpha">W</td><td class="text"><a href="#8.1.warning">‘WARNING’ in 8.1 Server Instances</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.warning">‘WARNING!’ in 3.10 SYSUAF-Authenticated Users</a> <tr><td class="alpha"> </td><td class="text"><a href="#3.10.4.wasdquothardwiredquotidentifiers">3.10.4 WASD "Hard-Wired" Identifiers</a> <tr><td class="alpha"> </td><td class="text"><a href="#0.wasdfeaturesandfacilities">‘WASD Features and Facilities’ in WASD Features and Facilities</a> <tr><td class="alpha"> </td><td class="text"><a href="#5.1.wasdhttp2">5.1 WASD HTTP/2</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.3.wasdsslquickstart">4.3 WASD SSL Quick-Start</a> <tr><td class="alpha"> </td><td class="text"><a href="#15.wasdvmswebservicesndashcopyrightcopy19962021markgdaniel">‘WASD VMS Web Services – Copyright © 1996-2021 Mark G. Daniel’ in 15. Attribution and Acknowledgement</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.1.wasdconfigservice">4.5.1 WASD_CONFIG_SERVICE</a> <tr><td class="alpha"> </td><td class="text"><a href="#7.1.1.wasdconfigservice">‘WASD_CONFIG_SERVICE’ in 7.1.1 Enabling A Proxy Service</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.14.wasteeutility">13.14 WAStee Utility</a> <tr><td class="alpha"> </td><td class="text"><a href="#10.watchfacility">10. WATCH Facility</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.webdav">6. WebDAV</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.webdavconfiguration">6.2 WebDAV Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.4.webdavlocking">6.4 WebDAV Locking</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.3.webdavmetadata">6.3 WebDAV Metadata</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.1.webdavsetrules">6.2.1 WebDAV Set Rules</a> <tr><td class="alpha"> </td><td class="text"><a href="#9.7.18.websocket">9.7.18 WebSocket</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.4.wherefacility">13.4 Where Facility</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.2.6.whyusehellip">‘Why use …’ in 6.2.6 Real-World Example</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.15.wotsuputility">13.15 WOTSUP Utility</a> <tr><td class="alpha"> </td><td class="text"><a href="#6.4.writeaccessonly">‘Write Access Only’ in 6.4 WebDAV Locking</a> <tr><td class="alpha">X</td><td class="text"><a href="#4.5.18.x509authorizationcgivariables">4.5.18 X.509 Authorization CGI Variables</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.13.x509certificaterenegotiation">4.5.13 X.509 Certificate Renegotiation</a> <tr><td class="alpha"> </td><td class="text"><a href="#4.5.16.x509configuration">4.5.16 X509 Configuration</a> <tr><td class="alpha"> </td><td class="text"><a href="#13.5.xrayfacility">13.5 Xray Facility</a> <tr><td class="alpha">Y</td><td class="text"><a href="#5.2.ymmv">‘YMMV!’ in 5.2 HTTP/2 and Performance</a> </table> </div> <hr class="page"> <a id="15." href="#"></a> <a id="15.attributionandacknowledgement" href="#"></a> <a id="attributionandacknowledgement" href="#"></a> <h1 class="head"><span class="numb">15.</span><span class="text">Attribution and Acknowledgement</span></h1> <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#14.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a>↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <a id="15.0.0.0.1" href="#"></a> <a id="15.wasdvmswebservicesndashcopyrightcopy19962021markgdaniel" href="#"></a> <a id="wasdvmswebservicesndashcopyrightcopy19962021markgdaniel" href="#"></a> <h5 class="head"><span class="text">WASD VMS Web Services – Copyright © 1996-2021 Mark G. Daniel</span></h5> <a id="15.0.0.0.2" href="#"></a> <a id="15.licensedundertheapachelicenseversion20" href="#"></a> <a id="licensedundertheapachelicenseversion20" href="#"></a> <h5 class="head"><span class="text">Licensed under the <span class="high bold">Apache License</span>, Version 2.0</span></h5> <p> <div class="blockof code">You may not use this software except in compliance with the License. You may obtain a copy of the License at <a class="link blank" target="_blank" style="margin-left:1em;" href="https://www.apache.org/licenses/LICENSE-2.0">https://www.apache.org/licenses/LICENSE-2.0</a> Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. </div> <a id="15.0.0.0.3" href="#"></a> <a id="15.noneofthefollowinglicensingappearsincompatiblewiththeapachelicense" href="#"></a> <a id="noneofthefollowinglicensingappearsincompatiblewiththeapachelicense" href="#"></a> <h5 class="head"><span class="text">None of the following licensing appears incompatible with the Apache License</span></h5> <a id="15.0.0.0.4" href="#"></a> <a id="15.clarkcooperetal" href="#"></a> <a id="clarkcooperetal" href="#"></a> <h5 class="head"><span class="text">Clark Cooper, et.al.</span></h5> <p> This package uses the Expat XML parsing toolkit. <div class="blockof code">Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd and Clark Cooper Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Expat maintainers. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. </div> <a id="15.0.0.0.5" href="#"></a> <a id="15.bjoumlernhoumlehrmann" href="#"></a> <a id="bjoumlernhoumlehrmann" href="#"></a> <h5 class="head"><span class="text">Bjöern Höehrmann</span></h5> <p> This package uses essential algorithm and code from Flexible and Economical UTF-8 Decoder. <div class="blockof code">Copyright (c) 2008-2009 Bjöern Höehrmann (<bjoern@hoehrmann.de>) Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. </div> <a id="15.0.0.0.6" href="#"></a> <a id="15.freesoftwarefoundation" href="#"></a> <a id="freesoftwarefoundation" href="#"></a> <h5 class="head"><span class="text">Free Software Foundation</span></h5> <p> This package contains software made available by the Free Software Foundation under the GNU General Public License. <div class="blockof code">This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. </div> <a id="15.0.0.0.7" href="#"></a> <a id="15.ohiostateuniversity" href="#"></a> <a id="ohiostateuniversity" href="#"></a> <h5 class="head"><span class="text">Ohio State University</span></h5> <p> This package contains software provided with the OSU (DECthreads) HTTP server package, authored by David Jones: <div class="blockof code">Copyright 1994,1997 The Ohio State University. The Ohio State University will not assert copyright with respect to reproduction, distribution, performance and/or modification of this program by any person or entity that ensures that all copies made, controlled or distributed by or for him or it bear appropriate acknowlegement of the developers of this program. </div> <a id="15.0.0.0.8" href="#"></a> <a id="15.opensslproject" href="#"></a> <a id="opensslproject" href="#"></a> <h5 class="head"><span class="text">OpenSSL Project</span></h5> <p> This product <span class="high italic">can</span> include software developed by the OpenSSL Project for use in the OpenSSL Toolkit (<a class="link blank" target="_blank" href="https://www.openssl.org/">https://www.openssl.org/</a>). <div class="blockof code">Redistribution and use in source and binary forms, with or without modification, are permitted ... </div> <a id="15.0.0.0.9" href="#"></a> <a id="15.paulejones" href="#"></a> <a id="paulejones" href="#"></a> <h5 class="head"><span class="text">Paul E. Jones</span></h5> <p> This package uses SHA-1 hash code. <div class="blockof code">Copyright (C) 1998, 2009 Paul E. Jones <paulej@packetizer.com> Freeware Public License (FPL) This software is licensed as "freeware." Permission to distribute this software in source and binary forms, including incorporation into other products, is hereby granted without a fee. </div> <a id="15.0.0.0.10" href="#"></a> <a id="15.rsadatasecurity" href="#"></a> <a id="rsadatasecurity" href="#"></a> <h5 class="head"><span class="text">RSA Data Security</span></h5> <p> This software contains code derived in part from RSA Data Security, Inc: <div class="blockof code">permission granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. </div> <a id="15.0.0.0.11" href="#"></a> <a id="15.stuartlangridge" href="#"></a> <a id="stuartlangridge" href="#"></a> <h5 class="head"><span class="text">Stuart Langridge</span></h5> <p> SortTable version 2 <br> Stuart Langridge, http://www.kryogenix.org/code/browser/sorttable/ <div class="blockof code">Thanks to many, many people for contributions and suggestions. Licenced as X11: <a class="link blank" target="_blank" href="http://www.kryogenix.org/code/browser/licence.html">http://www.kryogenix.org/code/browser/licence.html</a> This basically means: do what you want with it. </div> <a id="15.0.0.0.12" href="#"></a> <a id="15.tatsuhirotsujikawa" href="#"></a> <a id="tatsuhirotsujikawa" href="#"></a> <h5 class="head"><span class="text">Tatsuhiro Tsujikawa</span></h5> <p> nghttp2 - HTTP/2 C Library <br> Tatsuhiro Tsujikawa, <a class="link blank" target="_blank" href="https://github.com/tatsuhiro-t">https://github.com/tatsuhiro-t</a> <div class="blockof code">Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. </div> <p> <span class="high bold">VSI OpenVMS</span>, <span class="high bold">VSI TCP/IP Services for OpenVMS</span>, <span class="high bold">VSI C</span> <br> are registered trademarks of VMS Software Inc. <p> <span class="high bold">OpenVMS</span>, <span class="high bold">HP TCP/IP Services for OpenVMS</span>, <span class="high bold">HP C</span>, <span class="high bold">Alpha</span>, <span class="high bold">Itanium</span> and <span class="high bold">VAX</span> <br> are registered trademarks of Hewlett Packard Enterprise <p> <span class="high bold">MultiNet</span> and <span class="high bold">TCPware</span> are registered trademarks of Process Software Corporation <table class="NAVtable NAVprint"><tr> <td><a href="javascript:window.history.back();">↩︎</a> <td><a href="#14.">↖︎</a> <td><a href="#0.">↑︎</a> <td><a>↘︎</a> <td><a href="javascript:window.history.forward();">↪︎</a> </table> <title>WASD Features and Facilities</title>