Version 12.0.0 (November 2021)
- WASD – for a quarter century and more
– the only Web environment implemented expressly for VMS!
Let's Encrypt
Have (or want) a TLS (SSL) secured site? Using self-signed or commercial
server certificate(s)? Let's Encrypt makes it possible to obtain
and maintain browser-trusted certificates, simply, automatically and at no
cost.
See WASD Certificate Management Environment (wuCME) on the download
page at:
https://wasd.vsm.com.au/wasd/
- Apache License, Version 2.0
WASD licensing has moved from the GNU Public License, to the arguably more
flexible Apache License.
https://www.apache.org/licenses/LICENSE-2.0
This includes all source, object and executable code, documentation and
other inclusions distributed in the WASD v12.0 and later archives, whether
explicitly designated as Apache licensed or not (reasonsable effort has been
undertaken to modify all explicit licensing documentation). Note that OpenSSL
3 has been moved to the Apache License.
Now, in other news…
- x86-64 architecture supported.
Using IA64-hosted X86 Cross-Complier
- VAX architecture no longer supported.
- 64 bit data previously implemented as back-to-back 32 bit longwords have
been moved to native 64 bit storage.
This has resulted in cleaner, more maintainable source code, as well as
execution efficiencies.
- When available with ODS-5, ATR$C_MODDATE (date-time data modified) is used
in preference to ATR$C_REVDATE (classic file revision date-time). Directory
listings, WebDAV, last-modified, etc., now reflect the most recent data
modification.
- The [ServiceConnect] directive allows a service to immediately respond to a
connection on that port with an internally generated "GET /" request
that can be mapped and processed like any other. Parallels [ServiceRawSocket]
behaviour at a much simpler level.
- When resources were shared between WebDAV requests (e.g. PROPFIND,
LOCK) and resource locations, and non-WebDAV requests (e.g. plain GET, HEAD)
and locations, differing authorisations and access controls could be applied.
Path SETings webdav=all and webdav=auth can control these.
- Proxy processing:
• local cache for cleartext responses obsolete;
• now supports SOCKS5 TCP/IP connect;
• rework facility (think proxymunge utility).
- Path SETing response=var=asis provides a VAR record resource
exactly as-is on the disk (in contrast to the usual conversion to a stream-LF
equivalent).
- The path mapping pass /path "200 $ command" is
passed to the script processor for execution. The command may be any
DCL command the scripting account is capable of processing.
- Historically, scripting processes have been named sequentially
"WASD:80-1".."WASD:80-999". Script processes are now named
"WASD:80_pid " where pid is the four least
significant hex digits of the process PID. Additionally, the process name
changes to indicate the particular activity when executing a script.
- The pre-v10.0.0 logical names (e.g. HTTPD$MAP) are deprecated
and will be obsoleted in a future version. The server process log issues
warnings such as %HTTPD-W-DEPRECATED, change HTTPD$MAP to
WASD_CONFIG_MAP (soon!) for any it finds during startup.
- Terminal screen application output (e.g. MONITOR utility) to browser page
available via scréper. See sources.
Version 11.5 (July 2020)
- Significant effort has been made to make this release the most stable and
performant v11.n so far.
Performance data have been updated for v11.5
(see
11. Server Performance).
- Installation, update and configuration information, previously the one
document, have been reworked into two.
- A new DCL procedure [INSTALL]0̷BTAIN.COM (yup, a zero) allows
selected portions of the package to be extracted for installation or update.
- With OpenSSL EOLing v1.0.n at the end of 2019 it is also the
final WASD that can be compiled against this stream. Future versions will only
build with OpenSSL v1.1.n and later (version 3 is coming!) VAX
releases no longer provide OpenSSL.
- New SET mapping rules;
response=csp=<policy>,
response=cspro=<policy>, and equivalent DCL callouts, CSP: and
CSPRO:, supporting Content Security Policy.
- Additional meta-config conditional; proctor:, allows a more obvious
proctored script mapping than the current request-method:.
Version 11.4 (July 2019)
- Fundamentally this is a 25th Anniversary
release of WASD, rather than any significant leap forward. Essentially
v11.3 with a small number of tweaks and fixes applied. In any case, a quarter
century of continuous development should not go unremarked.
- A useful feature available with v11.3 and now expanded and formalised
is the system+ report, available from the "+" of the [System+] button of the
Server Administration menu, and from the CLI using $ HTTPD
/SYSPLUS
- There is one significant improvement to the package. However this is
largely for maintenance, a new documentation processing system –
wasDOC – see
rationale and
full document.
- Documentation and all references have been moved from WASD_ROOT:[DOC] to
WASD_ROOT:[WASDOC].
Version
11.3 (November 2018)
- OpenSSL 1.1.n is now supported, with 1.1.1 allowing deployment of
TLSv1.3 — a significant upgrade to the protocol. When OpenSSL is
installed system-wide, 32bit Crypto and SSL libraries must be provided for the
WASD build. Alternatively, a WASD-specific kit providing minimal required
OpenSSL v1.1.n resources can be used. OpenSSL 1.1.1 no longer supports
any SSL protocol version, only TLS. Note that WASD still can be built against
OpenSSL 1.0.2.
- WASD now uses an internal FILES-11 directory parser that improves the
performance of directory listings and internal file name searching.
- New SET mapping rule;
response=var=[CRLF|LF|NONE]
- Global configuration directive [BufferQuotaDclOutput] allows sizing of
script process SYS$OUTPUT mailbox quota.
- The CLI command /DO=REQUEST=RUNDOWN results in all current requests being
rundown, and /DO=ZERO=STATUS clears the server status line (e.g.
-STARTUP- displayed by the HTTPDMON utility.
- WebDAV has received significant attention with refinements and bugfixes
applied.
- Further server bugfixes and minor enhancements makes this the most
functional and stable v11.n (see
[SRC.HTTPD]VERSION.H).
- QDLOGSTATS has had geolocation support refactored as described in the
utility code prologue. There is now no default geolocation.
Version 11.2 (March 2018)
- For bulk script->server data transfer (10s to 100s of MB),
throughput improvements up to 5x using a shared memory buffer in lieu of the
default mailbox transfer.
- Applicable to all multi-instance environments, especially for clustered
instances, are CLI, Server Admin and HTTPDMON reports providing a snapshot of
instance status; most recent startup and exit time and counts, most recent exit
status value, preceding minute and sixty minutes request processing counts.
- Associated with the above status data are server CLI commands; /DO=STATUS
a basic report, /DO=STATUS=NOW immediate instance update, /DO=STATUS=PURGE
remove stale entries, and /DO=STATUS=RESET remove all entries and allow to
repopulate.
-
The CLI command /DO=SSL=CERT=LOAD is now a synonym for
/DO=SSL=SERVICE=LOAD[=<host:port>] which will (re)load the configuration
file SSL parameters into the existing services, all or if specified, a single
service.
- Display a summary of available /DO=.. commands using /DO=HELP.
- When shutting down, restarting, loading new rules, and on ad hoc occasions,
add informal annotations to the server process log using /NOTE=".." at
the command-line, or from the Server Admin page /NOTE=.. can be
entered into the /DO= text field (quotes unnecessary).
- New SET mapping rule;
dir=title=[<integer>|default|owner|remote|this=<string>]
- User-defined logging directives 'II', 'TI', 'TS' and 'TU'.
- Proxy tunnels can convey the connecting host and port (client) details
into the system via the logical name WASD_TUNNEL using path settings
proxy=forwarded=for and proxy=forwarded=address.
- TLS/SSL Server Admin Report now can be accssed using (appropriately
authorised) HTTP. Previously this report was only accessible using HTTPS.
- The usual collection of server bugfixes and minor enhancements (see
[SRC.HTTPD]VERSION.H).
Version 11.1 (May 2017)
- Consolidates the HTTP/2 protocol introduced with v11.0.
- TLS/SSL refinements supporting OpenSSL v1.1.1 and TLS 1.3 (available
Real Soon Now).
- TLS/SSL client-based session tickets (used in lieu of server-based session
IDs).
- TLS/SSL default configuration (cipher list and options) maximises security
and is compatible with most modern agents (minimum Firefox 27, Chrome
30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8).
Ciphers require "Forward Secrecy" and presence of [LOCAL]DH_PARAM_nnnn.PEM safe
prime files. To support older clients the configuration must be downgraded.
See
https://wiki.mozilla.org/Security/Server_Side_TLS
- "Raw"Socket scripting implementation, is a variant of, and is
heavily based on, the WASD WebSocket infrastructure. It allows a service
(listening host and port) to accept a connection and immediately activate a
configured WASD CGIplus script to service that connection. Full-duplex,
asynchronous, bidirectional, protocol-agnostic input/output is supported.
- The CLI command /DO=SSL=CERT=LOAD reloads an SSL service's certificate.
Used by wCME to change certificate without server restart.
- New SET mapping rule;
proxy=header=<name>[=<string>].
- New configuration directives;
[ServiceRawSocket],
[ServiceSSLsessionLifetime],
[ServiceSSLverifyPeerDataMax],
[SSLsessionLifetime] and
[SSLverifyPeerDataMax].
- User-defined logging directives 'CL' and 'PL'.
- Script proctor has been extended to allow idle generic processes
(cf. persistent scripts and RTEs) to be maintained.
- Server Admin, Activity Report graphic now implemented using HTML5 canvas.
- Significant HTTP/2 bugfixes along with the usual collection of server
bugfixes and enhancements (see [SRC.HTTPD]VERSION.H).
Version 11.0 (May 2016)
- HTTP/2 support. Requires OpenSSL 1.0.2 or later. Check related
documentation carefully.
- HTTP Strict Transport Security (HSTS) support for TLS/SSL.
- Supports building against HP SSL1 V 1.0.
- No longer (from v11.0.2) supports HP SSL (based on OpenSSL 0.9.8n).
- New SET mapping rules;
dict=<key>=<value>,
http2=protocol=1.1,
http2=send=goaway[=<integer>],
http2=send=ping,
http2=send=reset[=<integer>],
http2=write=[low|normal|high],
response=sts=<integer>
- Additional meta-config conditionals; dict:, http2: and
request-protocol:
- New global configuration directives; [HTTP2protocol],
[HTTP2frameSizeMax], [HTTP2headerListMax], [HTTP2headerTableMax],
[HTTP2pingSeconds], [HTTP2streamsMax], [HTTP2initWindowSize],
[SSLstrictTransSec], [TimeoutHTTP2idle]
- New per-service directive [ServiceHTTP2protocol] disables HTTP/2 for that
service, and [ServiceSSLstrictTransSec] enables per-service HSTS.
- A key=value dictionary is available during conditional
configuration.
- An additional CGI "Script-Control:" directive
X-http-status=<integer>.
- X509 certificate processing now supports V3 extensions including Subject
Alternative Name (SAN) and (Microsoft) User Principal Name (UPN).
- Add "Refresh [<integer>] Seconds" selector to appropriate
Server Admin reports.
- WASD v11 can be built and run on VAX but HTTP/2 cannot meaningfully be
deployed due to lack of support for ALPN and SNI in available OpenSSL versions.
- This release (undoubtedly) introduced a number of server bugs along with
the significant code refactoring required. Seriously! This should be
considered a classic point-zero release and carefully evaluated for
production environments.
Version 10.4 (December 2014)
- Secure Sockets Layer (SSL), and its successor Transport Layer Security
(TLS), has undergone some refinement and finally provides WASD_CONFIG_GLOBAL
in addition to WASD_CONFIG_SERVICE and /SSL= command-line configuration. WASD
now supports only the TLS protocol family by default. Some older
clients employing SSL(v3) may fail to connect. The deprecated SSLv3 and
obsolete SSLv2 can be re-enabled by configuration.
- Directory listing (Index of) default is now formatted using HTML tables.
This should be completely transparent to the end-user. The mapping set
dir=style=anchor[2] can (re)enable the pre-v10.4 listing mechanism.
- New ?httpd=index directives;
?httpd=index&font=[inherit|monospace(D)],
?httpd=index&style=table[2] (default).
- New SET mapping rules;
client=[forwarded|if=forwarded|literal=|reset|if=xforwardedfor|xforwardedfor],
dir=font=[inherit|monospace(D)],
dir=style=table[2],
cors=age=<integer>,
cors=cred=[true|false],
cors=expose=<string>,
cors=headers=<string>,
cors=methods=<string>,
cors=origin=<string>,
ods=name=8bit, ods=name=utf8, ods=name=default,
webdav=[no]hidden,
webdav=meta=dir=<string>
- WebDAV now allows metadata files to be placed in one of three
configurable locations; with the data file (historic and default), in a
subdirectory of the data file directory, or in an independent area of the
file-system. NOTE: The location of directory metadata has moved from the
parent to the directory itself!
- Services may explicitly WASD_CONFIG_SERVICE [ServiceBind] to 0.0.0.0
(INADDR_ANY).
- User-defined logging directives 'CI', 'SR', 'SV' for SSL/TLS
cipher, SSL/TLS session reuse and SSL/TLS protocol version items, and COMMON+,
COMMON_SERVER+, COMBINED+ composite log formats.
- The new stream facility provides a lightweight, internally
generated response of printable characters or binary octets, at maximum server
and platform throughput, for testing or metric purposes.
- The Conan (VMS Help), HyperSPI, HyperReader and
Query scripts have had minor "look-and-feel" updates (a
passing nod to the twenty-first century :-) NOTE: Sites using customised
button lists, etc., should assess and if necessary adjust for new interfaces.
- The calendar, charset, colors, glist and
hdisk scripts, along with the gift GIF image code, have been
removed from the package. These are also completely removed by the update
"cleanup" procedure.
- A small number of server fixes and minor refinements.
Version 10.3 (October 2013)
- Secure Sockets Layer implements Server Name Indication (SNI), an extension
to the TLS protocol that indicates what hostname the client is attempting to
connect to at the start of the handshaking process. This allows a server to
present multiple certificates on the same IP address and port number.
- Directory listing (Index of) icons now uniformly attempt to supply
a plain-text version of the file. Some browsers and O/S still insist on
ignoring the response-specified content-type! Also see section Faux Extension
in Environment Overview.
- Directory listings can now be sorted other than by name. This
JavaScript-enabled capability also allows the listing to be resorted
on-page, on-demand, without re-request of the server.
- New ?httpd=index directives;
?httpd=index&ilink=[yes|no],
?httpd=index&local=[yes|no],
?httpd=index&override=[yes|no],
?httpd=index&query=<string>,
?httpd=index&style=<which>,
?httpd=index&sort=<char>[+|-],
?httpd=index&target=<string>,
?httpd=index&these=<wildcard1>[,<wildcard2>], and
?httpd=index&versions=<integer>|*
- A new control file .WWW_WASD that can contain for per-directory
application, one or more ?httpd=index directives.
- New SET mapping rules;
dir=[no]ilink,
dir=delimit=<which>,
dir=style=sort,
dir=style=<which>2,
dir=sort=<char>[+|-],
dir=target=<string>,
dir=these=<wildcard1>[,<wildcard2>], and
dir=versions=<integer>|*
- Keywords added to SET mapping rule;
put=rfm=[fix512|stm|stmcr|stmlf|udf]
- Keywords added to global configuration directives; [PutBinaryRFM]
[fix512|stm|stmcr|stmlf|udf], to [AddType] ftp: and rfm:.
- The per-service directive [ServiceNonSSLRedirect] allows a non-SSL request
at an SSL service to be redirected to the specified non-SSL service.
- An authorisation realm read-only group can be specified as an asterisk
("*") to represent that everyone else can read.
- The persona scripting environment now permits shared UIC accounts
(despite being not considered best-practise).
- GZIP compression now directly supports the GNV LIBZ port via GNV$LIBZSHR32
(WASD checks for WASD_LIBZ_SHR32, then GNV$LIBZSHR32, finally LIBZ_SHR32
logical names).
- WebDAV on non-EFS (extended file system, i.e. VAX) has received some
necessary fixes and refinement. Within the constraints of ODS-2 it now works.
- There have been a number of fixes and refinements to the WebSocket
library.
- Server generated HTML and miscellaneous documentation has received some
refinement making them more compliant to modern practise and standards. Not
necessarily perfect but nevertheless improved.
- And a small number of server fixes and refinements.
Version 10.2 (November 2012)
- This is essentially a WebSocket maintenance release. There have been a
number of fixes and refinements to the library and associated server
processing.
- There is a new, niche authentication mechanism — token.
- And (of course) a small number of server fixes and refinements.
Version 10.1 (November 2011)
- Dragged kicking and screaming into the mid-1990s!
The WASD package used to build to a baseline of VMS V6.0 — it now
builds to a baseline of VMS V7.0.
Of course WASD now also requires a minimum of VMS V7.0 to execute.
- Secure Sockets Layer now supports SSLv3 and TLSv1 by default (previously
SSLv2 and SSLv3). If necessary, the vulnerable and deprecated SSLv2 can be
re-enabled using the /SSL= command-line parameter.
- HTML 5 WebSocket scripting implementation.
- Considerable effort has gone into eliminating alignment faults on Alpha
and Itanium (going from sometimes several hundred per request down to zero).
The server also continuously monitors alignment faulting and the Server Admin
menu now contains an associated report item (which should always report zero!)
- Additional meta-config conditionals; directory:, file: and
websocket:
- Global configuration directives [DclScriptProctor] proactively starts and
maintains DCL scripts and scripting environments, [RegEx]
enabled/disabled/<keyword>, [ServiceProxyChainCred] up-stream proxy
credentials, and [WWWimplied] enabling virtual hosts host.name and
www.host.name to be treated as synonymous.
- New SET mapping rules;
notimeout (short-hand for timeout=none,none,none),
map=uri,
proxy=chain=cred=<string>,
proxy=tunnel=request=<string>,
put=max=<integer> (kbytes),
put=max=* (unlimited),
regex=<keyword>,
script=lifetime=<hh:mm:ss>,
service=<keyword>,
websocket=<keyword>,
- New DCL callouts LIFETIME: and SCRIPT-CONTROL:
- Mapping and authorisation configuration lines beginning
"!#" are now displayed in Server Admin reports and are
WATCHable during rule processing. This allows meaningful commentary to be
displayed within these reports.
- Command-line checks of configuration files /DO=AUTH=CHECK,
/DO=CONFIG=CHECK (all configuration files), /DO=GLOBAL=CHECK, /DO=MAP=CHECK,
/DO=MSG=CHECK and /DO=SERVICE=CHECK provide some insurance against fatal
configuration errors when restarting.
- Command-line control of WebSocket connectivity with
/DO=WEBSOCKET=DISCONNECT.
- Proxy tunnel requests can now introduce a mapped request header (see SET
above) to be sent to the remote server. This adds considerable flexibility in
WASD-to-WASD tunneling.
- Statistics Report durations no longer include proxy tunnel or WebSocket
requests (usually much longer duration) and so more accurately reflect the
general Web request response characterstics.
- IPv6 name resolution is now capable of resolving AAAA records.
Version 10.0 (November 2009)
- The first entry in the source code version log is
"20-JUN-1994, v1.0.0" which puts the v10.0 release well into
WASD's sixteenth
year!
- Before UNZIPing the v10 package and when updating an existing v9.3 or
earlier installation the current root directory must be renamed from
HT_ROOT.DIR to WASD_ROOT.DIR. The v10 package uses [WASD_ROOT] as its
top-level directory in line with the other naming schema changes employing
"WASD". See Updating? Beware!
- After a development phase rivalling pachyderm gestation WASD finally
supports WebDAV 1,2.
- The schema for logical names has been changed to use a "WASD_"
prefix (in as much as possible considering backward-compatibility
requirements).
- Logical names are now (largely) confined to a WASD_TABLE logical name
table.
- Server and scripting process names now contain "WASD" (rather
than "HTTPd").
- ACME authentication DOI name of "*" indicates use the default of
ACME$LATEST_ENABLED_AGENT_LIST rather than a specified DOI (authentication
realm set to the DOI authentication realm).
- Global configuration directives [AuthSYSUAFlogonType] allows SYSUAF logon
type to be specified, [BufferSizeNetFile] and [BufferSizeNetMTU] allow some
scope for tuning transfer buffer size, [HttpTrace] enables/disables HTTP TRACE
method, [PutBinaryRFM] configures file record format, [ServiceLogFormat] allows
a per-service log format, and [WebDAV...] set various WebDAV characteristics.
- New SET mapping rules;
css=<URL>,
put=max=<kbytes>,
put=rfm=[FIX512|STMLF],
script=agent=as=<account>,
webdav=...
- Authorization rules using SYSUAF/VMS authentication allows a
'param="logon=type"' to specify the logon type
(NETWORK the default, LOCAL, DIALUP, REMOTE) to be restricted against.
- Services can now identify Secure Shell (SSH) connections. With a suitable
client (e.g. PuTTY) this can allow SSH tunnelling through a proxy gateway (i.e.
to port 443 and on to an SSH server via SSL proxy).
- WATCH script item allows a script to detect and respond to being WATCHed.
- The usual collection of server bugfixes and minor enhancements (see
[SRC.HTTPD]VERSION.H).
Version 9.3 (March 2008)
-
WASD licensing has been moved to
version 3
of the GNU General Public Licence.
This is a natural progression from
version 2 under which WASD was previously released.
- Server Admin, Request Report now initially lists only currently
processing requests. Persistent connections, are subsequently included from
a button at the end of the report. Requests currently under throttle
control, and request history are similarly available.
- WATCH now provides filtering on response HTTP status. Note that this
is very late in request processing and so provides limited information.
Nevertheless it can be useful for locating requests generating unusual
response statuses.
- HTTPDMON now includes the GZIP compression ratio and any authenticated
user name and realm as part of the request data.
- Global configuration directives [SocketSizeRcvBuf] and
[SocketSizeSndBuf] allow socket receive and send buffers to be changed from
TCP/IP agent default. WATCH network item displays current (default)
values if not set, or values being set.
- [ServiceProxyAuth] has the additional keyword chain which
allows the propagation of proxy authentication credentials to an up-stream
proxy server. It is not possible to have multiple, chained proxies require
authentication.
- SYSUAF authentication is now unconditionally performed using ACME
($ACM service) for VMS V7.3 and later on Alpha and Itanium. This obsoletes
global configuration directive [AuthSYSUAFuseACME].
NOTE: The use of SYS$ACM has some implications on sites with some
users having a Pathworks account and others relying only on UAF accounts.
SYS$ACM fails with "%LOGIN-F-NOLOCAUTH, not authorized to override
external authentication" for Pathworks users. Setting SYS$SINGLE_SIGNON to
3 has no effect on that. The only workaround is to set the VMSAUTH flag for
each user. (Courtesy Jean-Pierre Petit of ESME-Sudria.)
- DCL scripting callouts REDACT: and REDACT-SIZE: (see below),
NOTICED: (and auth agent NOTICED), OPCOM: (and auth agent OPCOM), and
auth agent callout SCRIPT-META.
- Request redaction allows a scripting process (and
authentication agent) to suspend request processing, redirect to another URI,
and then resume original (or modified) request processing at a later stage.
This facility was introduced to allow
PAPI
authorization to be supported.
- A variant authorization realm can now be agent+opaque to
implicitly suppress the automatic username/password challenge (saves a
/PARAM=NO401 on each path).
- The usual collection of server bugfixes and minor enhancements (see
[SRC.HTTPD]VERSION.H).
Version 9.2 (November 2006)
- Documentation previously provided as PostScript is now in PDF.
This is produced via an intermediate PostScript version generated by
DECdocument which is then post-processed using VMS-based Ghostscript (currently
AFPL Ghostscript 8.54).
- Without completely reworking the documentation there has been a
significant amount of time spent attempting to ensure it is accurate and
up-to-date with some of the more arcane areas simplified and/or expanded.
- The Server Administration facility now contains an
[Active][Passive] pair of buttons. On multi-instance
sites this allows all but one instance to be made quiescent (not listening
for network connections). This can simplify the use of the WATCH facility by
"forcing" all requests through the remaining active instance. The
equivalent command-line directives are
/DO=INSTANCE=ACTIVE and /DO=INSTANCE=PASSIVE.
- The Server Activity graph now displays network connections, peak
and current, and more accurately represents requests, now total, max,
peak and current. It also has buttons [ - ][ +
] for controlling graph zoom functionality.
- WATCH reporting has significant enhancements to allow requests to be
filtered in or out of the report based on client, service, request header
field, path and authentication criteria.
- Proxy affinity (also known as client to origin affinity,
courtesy Jean-Pierre Petit (jpp@esme.fr)) uses cookies to allow the proxy
server to make every effort to relay successive requests from a given client
to the same origin host.
- A tunnelled, raw (proxy) service request can now be chained to another
proxy server, generating an intermediate CONNECT request to navigate through
the up-stream proxy server.
- Access logging now supports an HOURLY period. Also, if access logs are
located on an ODS-5 volume the ODS-2 contraints on file name length are
relaxed. This allows the full service-host-name components, etc., to be
present in the log file name.
- The authorization realm OPAQUE allows a script to control all aspects
of an HTTP authorization interaction with a browser.
- Additional meta-config conditionals;
server-protocol: and
service:?.
- New global configuration directives;
[InstancePassive],
[ProxyConnectTimeoutSeconds] and
[ServiceProxyAffinity].
- New SET mapping rules;
proxy=reverse=[no]auth and
proxy=[no]affinity.
- An eclectic congregation of server bugfixes and minor enhancements
(see [SRC.HTTPD]VERSION.H).
- The [SRC.AGENT] directory contains two versions of working
LDAP authentication agents. These rely on the integrated LDAP support
available with VMS V7.3 and later.
- The QDLOGSTATS utility now allows entries to be selected on a date/time
since and before specification. This is supported when using the
CGI or command-line interface. There have been other minor refinements.
- The WOTSUP utility has seen significant enhancements. It will now
monitor and report all processes supporting multiple instances. HTTP status
code monitoring granularity improved so that individual codes can be reported
against. Emailed alerts now contain a subject field with an "executive
summary" of the contents. Check the source code for more information.
- A procedure SHUTDOWN.COM is now copied into the
[STARTUP] directory during installation. This shuts-down the server
and un-INSTALLs WASD-related files and is intended for inclusion in
site-specific system shutdown procedures.
Version 9.1 (June 2005)
- Extensions to GZIP response compression.
- Caching of GZIP content removing the need to recompress with each
response.
- Caching of proxied GZIP responses.
- GZIP compression of non-GZIPed proxy responses from proxy server to proxy
client.
- Revised multihomed service processing. This provides better service
discrimination and can ease some SSL certificate support constraints across
services using the same IP port.
- Per authenticated user request throttling. This allows control of how
many concurrent requests a particular authenticated user can have processing
against a particular path. An extension to the existing throttle facility.
- Additional /DO=NOTE=string command-line
directive. Provides add hoc administrator data to meta-config conditional rule
processing. A quick, neat method for suddenly changing a server's (or cluster
of servers') rule processing!
- Modified
/DO=DCL=[PURGE|DELETE]=[USER|SCRIPT|FILE]=string
and
/DO=THROTTLE=[RELEASE|TERMINATE]=[USER|SCRIPT]=string
directives. These allow free-form parameters to be added to the basic
directive (e.g. a username) and are currently restricted to Alpha and Itanium
VMS V8.2 platforms (requires the 64 byte lock value block).
- The Server Administration facility now provides a
[/DO=]{<directive>} button and text field to allow the
equivalent of entering any /DO= directive at the command-line.
- The HTTPD$MSG logical name can now contain multiple values allowing a
"search list" message file specification where a local file needs
only contains a subset of the full number of messages. This will remove the
need to merge local and WASD message files whenever a revised one is released.
- Additional meta-config conditionals; instance:,
multihome:, note:, robin:.
The robin: conditional provides an interesting processing
distribution mechanism.
- New SET mapping rules
script=control=<..>,
script=symbol=truncate.
- Modified SET mapping rule
throttle=<integer>/<integer> to support per authenticated
user throttling.
- The HTTPD$VERIFY logical name may now be defined to contain a
dotted-decimal IP address. This confines the
$ SET VERIFY
behaviour to the client with that IP address (more easily allowing script
trouble-shooting on a live server).
- Refined SYSUAF password expiry URL handling.
- A new utility named WOTSUP is intended for monitoring a WASD server in
a production environment and report via OPCOM, email and local-mechanism if
there is a real or suspected issue with it's processing. Check the WOTSUP doc
(no, not original with me but I can't resist using it :-) in the source code
description in the [SRC.UTILS] directory.
- The UPDATE and INSTALL build procedures now contain an option to build
with CPU optimisations (/ARCHITECTURE=HOST). This can provide significant
performance improvements. CAUTION! In a cluster sharing various
Alpha CPU families (e.g. EV4, EV5, EV56, EV6, EV67) this could at best improve
the perfomance of some while degrading that of others; at worst it may create
an executable incompatible with some members.
Version 9.0 (December 2004)
- HTTP/1.1 compliance (RFC2616).
- Persistent connection and request pipelining (tested using Mozilla 1.7)
provides significantly and noticably improved performance. Connection
persistence is now also supported for SSL, client->proxy and
proxy->origin server connections.
With the very real benefits of HTTP/1.1 connection persistence it may be
good policy to extend the HTTPD$CONFIG [TimeoutPersistent] directive
(formerly [TimeoutKeepAlive]) to something more like 00:00:30 (thirty
seconds). Also monitor [ConnectMax] (formerly [Busy]). This may need to be
extended to accomodate an increased number of connections persisting for a
longer period.
BETA testing showed that MSIE (6 at least) connection persistence over SSL
could be problematic with [TimeoutPersistent] less than ten seconds.
- Proxy processing is substantially HTTP/1.1 compliant, proxy caching
slightly less so but does not flagrantly flout HTTP/1.1 guidelines. Broader
response caching and persistent client->proxy and proxy->origin server
connections provide substantial performance improvements.
- Proxy tunnelling, an extension of the HTTP CONNECT method,
allows raw octet connections through WASD to independent applications (e.g.
telnet, SMTP servers) and SSL-encrypted octet connections between WASD servers.
- GZIP request and response content-encoding. In conjunction with the
ZLIB v1.2.1 (or later) port by Jean-François Piéronne.
- New logout functionality associated with
[AuthRevalidateUserMinutes] and/or SET auth=revalidate=
and "?httpd=logout".
- Explicit server code optimizations providing tangible performance
improvements.
- The WB (WASD Bench) utility now supports a variety of POST
functionality (originally needed to develop and test WASD's HTTP/1.1 chunked
transfer-encoding and GZIP content-encoding body processing).
- The PCACHE utility has been updated to handle v9.0 proxy cache files.
- A new utility FORMWORK, located in the [SRC.MISC] directory,
provides functionality for accepting and processing data POSTed from HTML forms
for input into comma-separated (CSV) files. (It was a q&d solution for
gathering user-input data on some 6,000 systems at my own site.)
- CGILIB now has a shareable image on Alpha and IA64 (none is supplied
for VAX - too many dependencies). The latest STARTUP.COM defines the
system-table logical name WASD_CGILIBSHR32 for this image. Check
[SRC.MISC]CGILIB_EXAMPLE.COM for a linkage example.
- New global configuration directives,
[ConnectMax] (supercedes [Busy]) max concurrent connections,
[EntityTag] enables the generation of file "ETag:",
[GzipAccept] accept gzip encoded request bodies,
[GzipResponse] level[,memory,window] gzip encoded responses,
[LogWriteFail503] service unavailable 503 response when access log write
fails,
[PipelineRequests] enables pipeline processing,
[ProcessMax] max concurrent requests being processed,
[ProxyCacheNegativeSeconds] for non-success responses,
[ProxyConnectPersistMax] and [ProxyConnectPersistSeconds]
for controlling proxy->server connection persistence,
[ServiceProxyTunnel] connect | firewall | raw,
[ServiceClientSSLcert] and others allow outgoing SSL config,
[TimeoutPersistent] supercedes [TimeoutKeepAlive].
- New SET mapping rules,
script=syntax=[no]unix,
response=gzip=<..>,
script=body=[no]decode,
report=tunnel.
- An additional CGI "Script-Control:" directive
X-content-encoding-gzip[=0|1].
Version 8.5 (June 2004)
- WASD 10th Anniversary
Although there had been some coding going on during the previous year, the
first official entry in WASD's version log is 20-JUN-1994, v1.0, with
the first freeware release some eighteen months later at
03-JAN-1996, v3.1. And it's been under continuous development and
refinement (and bugfixing :^) for that full ten years - a
substantial portion of the entire history of the "Web". Thanks to a
whole swag of people for support, suggestions, problem reports and general
encouragement; especially to my understanding spouse for her continuing
patience.
- IP version 6 (IPv6) is now supported concurrently with IP version 4
(IPv4). All networking functionality, service creation, proxy HTTP, SSL, FTP
and RFC1413 authorization is IPv6 enabled, along with the HTTPDMON and
QDLOGSTATS utilities. During the integration of IPv6 the full TCP/IP
networking codebase underwent significant refinement. Note that the IPv6
functionality has not been used extensively in the field - use with caution at
first!
- ACME authentication for Alpha VMS 7.3 and later is now available.
Two OpenVMS ACME agents are currently available, "VMS" (SYSUAF) and
"MSV1_0" (Microsoft domain authentication used by Advanced Server). Others,
including Kerberos and LDAP, have been suggested as candidates for development
and future release. The [AuthSYSUAFuseACME] configuration directive allows all
SYSUAF authentication to be performed by the ACME services on applicable
platforms.
- RMS has been eliminated from file content and proxy cache file access,
providing improved latency and efficiency. VAR and VFC record format files are
now converted to stream format using non-RMS routines and this alone returns a
600% improvement in throughput (yes 6x!)
- Path mapping now notes the device on-disk structure (ODS) for all PASS
rules and applies that to the syntax of the path being mapped to the
file-system. This can still be overridden using SET ods= mapping rules.
- A scripting process now performs a SET DEFAULT to the directory the
script is located in before script activation. The mapping rule SET
script=default= allows this to be explicitly set on a per-path basis. A
script=default=# mapping suppresses the SET DEFAULT (for backward
compatibility).
- On applicable platforms a scripting process now performs a SET
PROCESS /PARSE=EXTENDED or SET PROCESS /PARSE=TRADITIONAL depending on whether
the script path is located on an EFS (ODS-5) volume or not.
- It is now possible to set SSI document parsing availability and
capabilities on a per-path basis using SET ssi=exec=<string>.
- The SET response=[keyword|<string>] rule allows some
control over the response header generation.
- Scripts can now generate SSI markup as output and pass that to the
server's internal SSI engine for parsing and subsequent HTML output. The CGI
response extension header field Script-Control: X-content-handler: SSI
activates this functionality.
Version 8.4 (January 2004)
- The package now can be deployed on IA64 (Itanium) based
systems running HP OpenVMS Industry Standard 64 Evaluation Release
Version 8.1. Clusters of Alpha, IA64 and VAX systems can use the one,
fully-integrated installation. All supported WASD functionality is present,
with additional support package availability (e.g. Perl, PHP) dependent on any
underlying software support on the IA64 system. SSL (Secure Socket Layer)
functionality can provided through the HP-supplied IA64 SSL product or the WASD
OpenSSL kit (for IA64).
- DCL scripting supports the VMS 7.3-2 (and later) Extended DCL
(EDCL) maximum command-line length (4095 characters, up from 255) and symbol
size (8192 characters, up from 1024). These extents are of course ultimately
constrained by the command mailbox quota (configurable).
- The server now supports the "Range:
bytes=<range>[,<range>]" request header field and will
provide a 206 partial content response for non variable record length files and
for cached files. The server will also proxy such requests and responses (but
does not cache them).
- The previously file-only caching facility has been extended to allow
script, SSI document and even "general network" output optionally to
be cached. This is intended to provide efficiencies for sites where
relatively static pages are being generated using environments such as PHP and
Perl. Additional SET cache= mapping rules allows this to be tailored
on a per-path basis.
- The HTTPD$CONFIG [CacheGuardPeriod] directive allows the default period
of fifteen seconds to be extended. This HTTPD$MAP rule SET
cache=guard=<period> provides this on a per-path basis. During
this period subsequent reloads using request header fields to specify
no-caching will not result in the entry being revalidated or flushed.
- For those that consider a Web server should be a NETWORK service
the server process (along with any associated script processes) can now run as
network mode. The STARTUP.COM procedure accepts a WASD_NETWORK parameter and
starts the detached server using the required /NETWORK qualifier. Scripts
requiring to differentiate between standard and DECnet activation may require
some minor revision (see CGI_SYMBOLS.COM for one possible mechanism).
- The $GRANTID system service used to support /NETWORK mode operation
requires the server image to be installed with CMKRNL privilege. The revised
STARTUP.COM provides this.
- The /PERSONA=IDENT=<username> facility is now available to those
using the PERSONA_MACRO build (required for detached scripting processes under
VAX VMS versions earlier than 6.2).
- Script activation code has been revised to support command-line
definition files (.CLD) to specifiy a script. The order in which an un-typed
script is now searched for is .COM, .CLD, .EXE and then [DclScriptRunTime]
specified.
- Scripting will now allow parameters to be added to the command-line
activation on a per-path basis using the SET
script=command=<string> mapping rule.
- The HTTPD$MSG [Language] directive now allows a specified character set
to be associated with that language's messages.
- Reverse proxy now supports the rewriting of a 302
"Location:.." response URL using the SET
proxy=reverse=location=<string> mapping rule.
- Reverse proxy also supports a specialized authorization and
verification scheme known as proxy verify. For detailed information
consult the description found in the [SRC.HTTPD]PROXYVERIFY.C module.
- Some control over the number of concurrent client requests in progress
may be exercised using the client_current_gt: conditional to adjust
mapping and subsequent processing.
- New SET mapping rules,
cache=[no]cgi,
cache=expires=<period>,
cache=[no]file,
cache=guard=<integer>,
cache=maxkbytes=<integer>,
cache=[no]net,
cache=[no]nph,
cache=[no]query,
cache=[no]ssi,
map=root=<string>,
map=set=[no]ignore,
map=set=[no]request,
proxy=reverse=location=<string>,
proxy=reverse=verify,
response=header=<[append|full|none]>,
script=command=<string>.
- There is a new command-line utility HTADMIN to assist with the
maintenance of $HTA authorization databases.
- There have been some format refinements (or at least changes ;^) to
some Server Admin report items.
Version 8.3 (July 2003)
- WASD string matching (mapping rule, authorization rules, conditionals)
now supports Posix EGREP style regular expressions. Must be enabled using the
[RegEx] configuration directive and introduced using a leading "^"
character.
- Wildcard string matching (the WASD traditional method) has had
efficiency improvements implemented.
- "Specified" wildcard substitution allows mapping rules to
omit some matched portions and change the order of substituted portions when
processing result strings.
- A new Server Administration report menu item [Match]. This provides
direct access to the server string matching routines and allows the site
administrator to experiment with string matching and substitution.
- The file cache now allow the storage of permanent entries, as
well as the traditional volatile ones. Permanent entries are intended
for the most static but frequently accessed of all site files (e.g. site logos,
graphics, home pages, etc.) and are not flushed or revalidated in the same way
as static ones. The SET cache=perm mapping rule specifies the paths
associated with these resources.
- Additional meta-config conditionals; notepad:, 
regex:,  request:,  restart:.
- Additional mapping SET rules;
cache=[no]perm, cache=max=<integer>,
notepad=[+]<string>.
- Authorization break-in detection and evasion has been reworked so it
behaves in the same way as VMS LGI_BRK_LIM, LGI_BRK_TMO and LGI_HID_TIM
parameters. Two new parameters, [AuthFailurePeriod] and [AuthFailureTimeout],
in addition to the existing [AuthFailureLimit] are used to implement this. If
all or any are set to zero they assume the equivalent LGI_.. parameter value.
- A combination of VMS and rights ID authentication functionality
previously not possible is now provided using /SYSUAF=(VMS,ID).
- The instance functionality introduced with 8.0 has finally
demonstrated itself to the author's satisfaction. The test environment is a 4
CPU AlphaServer 4100 running OpenVMS 7.3-1 and Compaq TCP/IP Services 5.3-18.
A bug that exhibited itself on multiple CPU systems finally has been identified
and fixed.
- The common and combined log formats now include the HTTP protocol in
the request URL. The user format directives now allow 'PR' to specify the same
datum.
- The QDLOGSTATS utility now allows the use of Posix EGREP style regular
expressions when matching the various components of the log file.
- The CGIUTL (v1.10.n) shipping with the 8.3 package has a change in
behaviour for /MULTIPART /FIELD=<name> multipart/form-data POST decoding.
Previously the representative symbol names were
WWW_FORM_name_MIME_data, now they are (the more consistent)
CGIUTL_name_MIME_data. Allowing for this change may require
modification to scripts that use this functionality.
Version 8.2 (April 2003)
- New mapping rules,
dir=style[=default|original|anchor|htdir],
html=[bodytag|header|headertag|footer|footertag]=..,
cgiplusin=[none|cr|lf|crlf|eof],
proxy=[no]forwarded[=by|for|address],
proxy=[no]xforwardedfor[=enabled|address|unknown],
script=query=none,
script=path=find,
script=as=$?,
[no]search=none.
The plus variation on the exisiting script=params=+(name=value)
concatenates to any previously set script parameters.
- The html= path SETings can be used to set body, header and
footer tags and text for incorporation in directory listings, error reports
and selected other facilities. These also are available to scripts via the
HTML_name CGI variables.
- Use of SYSUAF authenticated security profile (/PROFILE) against a
HTTPD$AUTH path can now be made to be applied via the authorization rule (rather
than using the set [no]profile mapping rules). The startup keyword
/PROFILE=BYRULE directs the server only to apply security profiles if the
authorization rule has such a directive.
- CGI output processing has been relaxed to accept any CGI response
header field in any order provided that one of Content-Type:,
Location: or Status: occurs somewhere in the response (i.e.
actually is CGI compliant). To allow RTEs to be built using certain
processing environments (e.g. PostScript) the CGI engine now will build (no
matter how inefficient) single byte records into composite new-line delimited
"real" records before processing.
- Run-Time Environment (RTE) scripting attempts to reuse processes that
were previously processing the same script and if possible path (to allow the
RTE to cache these if desired). Not finding any available the Least Recently
Used (LRU) RTE is then activated in an attempt to allow more
recently/frequently ones to keep their cache.
- The HTML_name CGI variables are available to scripts and Server
Side Includes (SSI) documents reflecting the content of any set html=
rules, and the GATEWAY_EOF, _EOT and _ESC CGI variables provide the CGI
processing sentinal strings to environments that cannot access the contents of
the corresponding logical names.
- HTTPD$MSG message configuration files now allow multiple,
comma-separated and wildcard [Language]s to be specified.
- Authentication agents can issue a "100 REASON any
text" callout response to provide an explicit reason for
authentication failure.
- Server processes created during startup under VMS 6.2 and later have a
YYYYMMDDHHMMSS timestamp as part of the process (SYS$OUTPUT) log name.
- A change that occured in OpenSSL 0.9.7 certificate Distinguished Name
(DN) record format from /email to /emailAddress is now allowed
for.
- Courtesy of Dick Munroe (munroe@csworks.com); the CGIUTL utility has
received some significant enhancements, convert-osu-to-wasd.pl and
framework.pl conversion utilities (see [EXAMPLE]), and
SERVER_NEUTRAL_CGI.COM CGI wrapper (see [SRC.OTHER]).
- There have been small refinements to the 8.1 environment installation,
update and support utilities.
- The favicon.ico can be mapped into any relevant service using
the HTTPD$MAP rule pass /favicon.ico /wasd_root/favicon.ico
- Document and script LINK/VLINK colours have been changed to a more
muted blue (#0000ff to #0000cc). It was suggested, and I agree, that this is
easier on the eye and generally works better.
Version 8.1.1 (January 2003)
- A minor, couple of bugfixes and documentation release.
- I didn't what these nuisance-value issues complicating an already
significant upgrade. The SECHAN utility during batch startup could prevent the
server starting due to an illegal I/O request (enabling ctrl-T). Using the
/DO= functionality could occasionally fail with a NOSYSLCK error and report
4294967295 servers notified (hmmm, that seems a magic number ;^)
This was due to a race condition.
- The set script=query=relaxed mapping rule allows unbalanced
name-value pairs in form-url-encoded query strings to be ignored by the server
and passed on to the script for processing.
- The QDLOGSTATS utility has been enhanced.
- A new method of selectively updating a site's files using a full archive
is available using the [INSTALL]SELECT.COM procedure. This will eliminate the
need for package update kits to be supplied (saving me time) while still
allowing only those files required to be updated to be restored.
Version 8.1 (December 2002)
- Versions prior to 8.1 have been shown to have some security issues with
directory tree structure and permissions, and a too-liberal default ([EXAMPLE])
configuration. Problematic server functionality has also been addressed.
Whether updating or installing from scratch, please (re)read the
[doc.misc]wasd_advisory_020925.txt
and the revised Technical Overview section
5 - Securing The Site. Be
prepared for some minor issues related to changes in package security profile.
- You must use the full environment of 8.1, including the new
startup procedures, otherwise package behaviour is indeterminate. Ensure that
HTTPD$CONFIG directive [DclDetachProcess] is set to enable to
allow the server to use the scripting account (HTTP$NOBODY).
- A number of problems present in the v8.0 release have been resolved.
This includes some bugs but also functionality issues.
- WASD SSL (Secure Socket Layer) functionality can now be provided
through the Compaq SSL for OpenVMS Alpha product on VMS versions 7.2-2
and later. The WASD HTTPd can be compiled against this toolkit, and/or linked
against it's sharable libraries. This provides a considerable saving in
executable size and memory consumption when multiple SSL application are in use
against this product. It also aligns WASD with the emerging Open Source
Security architecture for OpenVMS. The WASD OpenSSL kits will continue to
be released to support platforms that cannot use the Compaq SSL product.
- INSTALL and UPDATE procedures now detect SSL toolkits available to WASD
and request whether an SSL enabled version of the server should be built. This
eliminates the second step of @UPDATE SSL previously required.
- "Skeleton-Key" authentication has been provided to allow
non-configured access to the Server Administration facility for novice
administrators on newly installed sites (amongst other uses).
- ODS-5 (Extended File System) volumes and naming conventions have been
supported since their release. Now SRI file name encodings (Process Software
MultiNet and TCPware NFS and other utilities), PATHWORKS (4/5) and Advanced
Server file name encodings (PATHWORKS 6, also used by Samba on ODS-2) can be
converted for direct use and display by the HTTPd. The path settings ODS=2,
ODS=5, ODS=ADS (syn. ODS=SMB), ODS=PWK and ODS=SRI control these mappings.
- DECnet scripting rules can now specify that the script be executed
under the account of an authenticated username (e.g. '/NODE"$"::/cgi-bin/').
The set script=as= mapping rule can also now be used with DECnet scripts.
- The ALERT path setting can now optionally specify when to provide the
alert; ALERT=MAP (immediately after mapping), ALERT=AUTH (after any
authorization) and ALERT=END (default, at end of request processing).
- Other new mapping rules, set auth=all, set alert=keyword,
set map=ellipsis, set query-string=, set report=4nn=nnn.
- Additional meta-config conditionals, mapped-path:,
path-translated:, script-name:, redirected:, pass:,
and additional keywords to ods:.
- Additional mapping conditionals, [MP], [PA], [PI], [RC], [RU], [ST]
that parallel the meta-config conditionals above (yes, I know these are
described as obsolete ;^).
- Scripts may now request the server to generate an error message on it's
behalf using extensions to the CGI/1.2 "Script-Control:" response
fields. This can give a very consistent look and feel to these responses.
- New utility SECHAN. This provides a collection of functionalities used
to maintain package security and access to various directories and files for
server and scripting accounts.
- Remember that when installing or modifying scripts they need to be
copied into [CGI-BIN] and [AXP-BIN or [VAX-BIN] (convenience logical CGI_EXE:)
to make them accessable to the server.
- The Compaq TCP/IP Services ECO that will allow instances to be
used in production has not yet been released (see immediately below).
Version 8.0 (July 2002)
- Instance support, where multiple server processes on a
single node participate in an integrated environment (not unlike clustering
itself) to share request load, provide rolling restart and a
"fail-through" capability. Load sharing allows multi-CPU systems to
significantly improve throughput. This instance implementation also
provides an enhanced level of cluster-wide serving awareness.
WARNING Compaq TCP/IP Services v5.n (at least) has a
problem with socket listen queuing that can cause services to "hang"
(should this happen just restart the server). Ensure you have the
requisite ECO installed before activating multiple instances on production
systems!
- Mapping and authorization now share a consistent set of conditional
rules (similar in intent but different in implementation to the previous
mapping-only conditionals) that allows individual or blocks of rules to be
conditionally applied depending on request, system, environment and other
characteristics.
- Language-variant documents can be configured and selected by the server
depending on client browser language preference settings. For instance, a
directory may contain generic (EXAMPLE.HTML), French (EXAMPLE_FR.HTML),
English (EXAMPLE_EN.HTML) and German versions (EXAMPLE_DE.HTML) of the same
document. As indicated by preferences expressed in the
"Accept-Language:" request header field a German client will receive
the Deutsch version (EXAMPLE_DE.HTML), French the Française
version (EXAMPLE_FR.HTML), etc., with a fallback to the generic if no
appropriate document is available or the client has not specified a preference.
Can be applied to non-text files.
- Language character set conversion. Using the VMS standard National
Character Set (NCS) conversion library a document's character set may be
converted dynamically (and efficiently) from one to another as indicated by
preferences in the request "Accept-Charset:" header field. This has
particular application for non-Latin-1 sets such as the Cyrillics used by some
East European languages.
- Script response header processing (CGI and NPH detection) has been
refined to better handle non-record-oriented responses. This improves
behaviour when scripts use the likes of fwrite() under the current
DECC-RTL to provide portions of response header fields. It is not a total
solution however, with some concessions still required for record-oriented
output without explicit carriage-control.
- Proxy serving now supports FTP.
- Proxy can also now perform HTTP-to-SSL (Secure Sockets Layer)
gatewaying, allowing non-SSL-aware agents access to SSL services, as well as
HTTP-to-FTP, SSL-to-HTTP, and other combinations of protocol conversion.
- Additional configuration directives;
[AuthCacheEntriesMax],
[AuthCacheEntrySize],
[AuthSysUafPwdExpURL],
[AuthSysUafAcceptExpPwd],
[CharsetConvert],
[InstanceMax],
[LogPerInstance],
[ProxyCacheNoReloadSeconds],
[ServiceProxyHttpSsl..],
[SsiSizeMax]
- Additional mapping SET rules;
alert,
accept=lang,
auth=revalidate=hh:mm:ss,
auth=sysuaf=pwdexpurl=,
dir=access=,
http=accept-charset=,
http=accept-language=,
proxy=bind=IP-address,
proxy=chain=host:port,
script=params=(name=value[,name="quoted value"]).
The charset= rule also has an additional behaviour.
- Mapping SET rules may now be appended to any rule that contains both a
template and result. Hence a final match can also be used to set path
characteristics as in pass /documents/* /ods5_device/docs/*
ods=5
- Additional /DO=INSTANCE=integer
and /DO=PROXY=STOP=SCAN command-line directives.
- The retirement of the WWWRKOUT utility. The addition of two other
utilities; WB (WASD Bench, a $QIO-driven analogue to Apache Bench :^) and
CALOGS (Consolidate Access LOGS).
- Request body handling (POST and PUT) has been revised to process the
body in discrete chunks eliminating the requirement for the server to buffer
the entire content in virtual memory. This effectively removes any processing
limitation on request body size.
- Ever found it annoying not being able to easily read a file you know
contains text but they file type is not configured or is configured for
something else? Well, from a directory listing just click on the icon. For
non-textual file types the icon is now an anchor returning the file as a
plain-text document (regardless of it's real content)!
- Activity statistics are now stored in a permanent global section
allowing activity graphs to span startups to a maximum of 28 days activity.
Peak load is displayed on the request histogram, and server exit and startup
events are indicated using vertical lines of different colours.
- Plenty of "under-the-hood" changes supporting the new
instance functionality and the greater cluster awareness (in preparation
for cluster-wide (perhaps even galaxy-wide :^) scripting and other
sharing in forthcoming versions).
Version 7.2.1 (November 2001)
- A minor, basically bugfix release.
- One notable functionality item, persona scripting support (non-server
account) for VAX VMS versions that do not support the $PERSONA services (i.e.
6.0 and 6.1). The PERSONA.MAR module performs a similar function by
explicitly manipulating the process structures in kernel mode, operating in a
well accepted but basically unsupported fashion! Check the build and
scripting documentation for further details.
Version 7.2 (July 2001)
- X.509 certificate authorization for SSL transactions. This allows
authorization credentials to be established via client certificate without the
use of username/password dialogs.
- For SSL servers it is now possible to use private keys without embedded
passwords. As the SSL service is started the server prompts via HTTPDMON and
OPCOM (if enabled) for the private key password. It can be supplied using a
/DO=SSL=KEY=PASSWORD directive.
- Authorization via the RFC1413 "identification protocol".
- Remote user to local SYSUAF user "proxy" access.
- Control of request processing, known as
"throttling", sets limits on the number of concurrent requests being
processed before new requests are queued. Can be used to limit instances of
resource intensive processing as in the case of some scripts, etc.
- CGIplus/RTE has a lower overhead, higher efficiency and throughput
(50% to 100% increase) CGI variable transfer mode. Historically CGI
variables have been transfered one per record, now termed "record"
mode. It is also possible to transfer variables as a single I/O, or in
"struct" mode. CGILIB now enables this by default. Just relink as
necessary.
- Scripts are no longer automatically run-down if a client disconnects
while processing. The [DclBitBucketTimeout] period must expire first. This
results in most scripts and/or the associated process continuing to be
available for use with another request, a significant efficiency improvement.
- Improved script run-down handling. Scripts executing images are
$FORCEXed before processes are deleted, allowing exit handlers to gain control
for more elegant releasing of resources, etc.
- It is now possible to specify a maximum CPU time limit on a per-script
basis using the SET SCRIPT=CPU=hh:mm:ss mapping rule. This may be
particularly useful in allowing for run-away user scripts.
- Only selected HTTP status code reports need to be customized using the
[ErrorReportPath] directive, those remaining still being handled internally.
- The EXEC rule now allows not only directories to be specified as script
repositories but also file types. This allows files with a particular
extension to be designated as executable scripts no matter where that occur in
the specified path (and can be used to map ex-Purveyor scripts for example).
- "Monitor" data and "control" directives (/DO=) now
communicate via shared memory in a global section. This is significantly more
efficient and versatile. (Note that images must be installed with PRMGBL,
SHMEM (VAX only) and SHRGBL).
Version 7.1.1 (January 2001)
- A minor release corresponding to the closing of OpenVMS Freeware CD V5
submissions.
- The usual bugfixes :^)
- CGILIB has been updated for the new CGI interface requirements
of Compaq Secure Web Server (CSWS) V1.0-1 (based on Apache 1.3.12).
- A "standard" area for script scratch space ... with the
server cleaning up behind those that fail to. See the Scripting
Environment, Introduction.
- QDLOGSTATS can now be used as a script and will provide an HTML
form-based interface page.
Version 7.1 (November 2000)
- Scripting process creation has been moved from LIB$SPAWN() to
SYS$CREPRC(). This allows some interesting new features including detached
processes and scripts executing under non-server accounts (on VMS versions 6.2
and later), including user accounts. Subprocess scripting is still the
default (i.e. it is backward compatible). Check the "Scripting
Overview, Introduction" for the details.
- Selected server administration menu and command-line /DO= directives
can now be simultaneously applied to all servers on a node or across a cluster.
To see this in action, even with only one existing server on a single node, do
a $ @HT_ROOT:[000000]FREEWARE_DEMO and then
access the system's server Administration Menu.
- The server administration menu now provides specific functionality for
maintaining service and message configuration.
- Proxy cache maintenance scans are now cluster-aware. A server
undertaking a scan locks the cache, preventing other servers from
simultaneously attempting to perform maintenance activities on the cache.
- Run-Time Environments are a persistant scripting mechanism designed to
support interpreters like Perl and Java, with the objective of reducing
response latency, increasing throughput and reducing system impact. This
version includes an example Perl RTE, which can give a performance
improvement of some twenty-five times on standard CGI Perl scripts! For
Perl distribution considerations this Perl RTE must be fully compiled and
linked locally.
- A new configuration directive [CgiStrictOutput] introduced in WASD 7.0
directs the server to report script responses that are neither CGI or NPH (i.e.
have none or a faulty response header). This is enabled in the 7.n
example configuration files. Site administrators that do completely new
installations may find their old scripts are now being reported as "ERROR
502 - External agent did not respond (or not acceptably)." Either
modify the script to supply an appropriate header (preferable) or disable the
configuration directive.
- There have been some other refinements to the scripting environment and
more detailed information provided in the Scripting Overview. It is
recommended site administrators and script authors review this.
- CGILIB has been modified to become an object module/library. Compared
to the code #include this is a more elegant method for delivering it's
functionality. More significant WASD scripts have been modified to support
this version (e.g. Conan, HyperShelf/Reader, WASDquery and others). The
#includable functionality is still available.
- Changes in VMS Apache BETA behaviour between 1.3.9 (T1.3-9AG)
and 1.3.12 (1.3-12) make some WASD Server and CGILIB code ineffective. As
far as the author can tell there is no way to send a binary stream from a
script via T1.3-12. Whether or not future changes to VMS Apache restores this
functionality cannot be determined at the current time.
- The CGIUTL scripting utility has been enhanced so that POSTed request
fields containing multiple lines (e.g. <TEXTAREA>s) can be processed into
DCL symbols one line per symbol.
- HyperShelf now allows a URL item type. This allows a URL to be
added to an ODL or BookShelf shelf file, providing a direct link to HTML/Web
resources external to the local host or Bookreader environment.
- The FETCH utility FTP processing has undergone a major revision and now
should present far fewer issues with some sites.
- A new utility QDLOGSTATS allows elementary server log statistics to be
generated on an ad hoc basis.
- Built and verified against OpenSSL 0.9.6
Version 7.0 (June 2000)
- A major release version number change due to more significant changes
to some server processing than could be justified as a minor version update.
- Extended file specification support. Under Alpha VMS V7.2ff the server
and relevant scripts are ODS-5 volume compliant. This has a number of
implications for server management and user activity. Please read the
relevant section of the Technical and Environment Overviews.
- Built and verified against OpenSSL 0.9.5
- Some VMS Apache-like CGI scripting compatibility characteristics
(based on the 1.3.9 BETA). These are intended to ease (or even remove
completely) script portability issues between the WASD and Apache environments.
CGILIB has also been modified to support VMS Apache (meaning WASD scripts using
CGILIB run unmodified under Apache CGI).
- The server will now generate OPCOM messages against various categories
of events, e.g. server startup/exit, authorization failure, server
administration (e.g. mapping reloads, etc.), configured using the [Opcom...]
configuration directives.
- Server error (and success) response page format improved (or at least
changed). More Apache-like, consistent, informative and (in the
author's opinion) aesthetically pleasing. There is now a simple mechanism
(based on per-server configuration or request path SETting) for providing basic
or detailed error responses.
- Three [...BodyTag] directives allow the <BODY> tags of server
generated pages (such as error reports, directory listings, etc.) to be
specified. This can provide a site with a significantly consistent
"look-and-feel". In addition the actual format and contents of
server error and success response pages may be specified using the HTTPD$MSG
configuration file.
- The [LogPerService] configuration directive used to generate a log file
using only the host name of a service (which can be problematic when virtual
services share the same name, e.g. WWW.domain.com). It now generates a unique
name based on as much of the full service IP name string as can be accomodated
by VMS syntax constraints. Previous behaviours can be retained by enabling
[LogPerServiceHostOnly] directive.
- Cookie-based session tracking is available using the [Track...]
directives.
- The [SearchScriptExclude] directive allows specified file types
(extensions) from being processed as implied keyword searches when a query
string is present.
- The directive [AuthRevalidateLoginCookie] activates a
cookie-based solution to consecutive authorization dialogs sometimes
occuring when [AuthRevalidateUserMinutes] is active.
- .HTA and .HTL authentication databases require renaming to .$HTA
and .$HTL (see Updating? Beware).
- The update facility has had slight aesthetic improvements (or at least
changes) and slightly simplified capabilities.
- Proxy services may now have proxy authentication applied to
them. This controls access to a proxy service using a separate and distinct
proxy authentication dialog supported by modern browsers.
- A new tool, ApacheBench © The Apache Group, as used in the
Apache Distribution, is included with this package (within licence conditions).
It allows ad hoc server benchmarking and stress-testing (requires VMS
7.n or greater).
- Additional information and a Perl module for using Perl within the
CGIplus environment has been provided.
- There are now a few coloured icons in the HT_ROOT:[RUNTIME.HTTPD]
available if the b/w ones seem a bit lifeless ;^)
Version 6.1 (December 1999)
- NETLIB is no longer supported/required. The remaining TCP/IP packages
for VMS, Compaq TCP/IP (UCX), Multinet and TCPware, all support the BG driver
interface (UCX $QIOs) so this can be used exclusively.
- Authentication agents provide "easily" created,
external authentication/authorization functionality. These are essentially
CGI/CGIplus scripts (with all the attendant programming simplicity of this
environment) specially invoked by the server for authorization purposes.
Working examples, including an OSU CEL-compatible authenticator, are provided.
- CGI and CGIplus scripting support for callouts. These provide
direct script-server dialogs, allowing various capabilities.
- Virtual hosting is far more comprehensive than in the base version of
6.0 (although it was actually reworked for v6.0.2). It now supports mappings
against the request "Host:" header field, as well as for multi-homed
hosts.
- OpenSSL v0.9.4 has been built and tested against v6.0 and v6.1, with
build and update procedures modified to support it. SSLeay is no longer
supported against this version (though may continue to link and work).
- The Server Side Includes processor now supports OSU-specific directives
to provide transparent integration of OSU .HTMLX documents into the
WASD environment.
- A new USER mapping rule provides /~username/ mappings using
the default device and directory from the SYSUAF.
- As from v6.0.2 SYSUAF authentication honours NETWORK and REMOTE access
account restrictions a new mechanism was required to support nil-access
accounts. This is implemented using a new rights identifier, WASD_NIL_ACCESS.
- Administration Menu reports now allow a SHOW PROCESS
/ALL to be performed on HTTPd processes (server, subprocess and
DECnet scripts). The latter also allow individual deletion from the same report.
- The CGILIB source code has been considerably extended to support
response generation, CGI callouts, Purveyor environment.
- The server can be used to cause the browser to cancel authentication
against a particular path. Use "/what/ever/path?httpd=cancel", clear
the fields and OK it. Then go backwards and access the original path, which
should reprompt for authorization.
- Documentation now only supplied in HTML and PostScript formats.
Plain-text and Bookreader formats are no longer generated, to help reduce the
size of the distribution, and as a reflection of the diminishing importance of
these formats.
Version 6.0 (June 1999)
- Proxy HTTP and FTP serving, with local HTTP caching.
- Authentication and authorization environment extension and refinement.
- Much improved WATCH detail for DCL, SSL and authorization.
-
SSL now supported using the OpenSSL 0.9.3 toolkit (with initial backward
compatibility with previous SSLeay releases).
OpenSSL now has integrated VMS support (largely thanks to Richard Levitte
(levitte@lp.se)). WASD SSL packages include
only object libraries, application objects, and support procedures (i.e.
sufficient to support WASD's SSL). If a full OpenSSL toolkit is desired it
should be obtained separately from
http://www.openssl.org/ or
http://www.free.lp.se/openssl/
and built locally.
|
|
- CGILIB.C source code library for easing the production of CGI C
Language scripts.
- ISAPI scripting environment.
- New TMAILER script (WASD drop-in replacement for the OSU TMAIL script).
- New CGIUTL utility, assisting with scripting at the DCL level
(particularly processing POSTed requests).
- Improved FETCH script/utility.
- Statement concerning Year 2000 and related
issues. WASD HTTPd v6.0 has had it's directory listing dates extended to
include a four digit year component.
Version 5.3 (November 1998)
- This release has some internal modifications improving performance and
granularity of processing under high loads. CGI scripting performance has also
been improved, and CGIplus is 75% faster in response.
- The WATCH facility, accessable from the administration menu, provides
an online, real-time, in-browser-window view of request processing in the
running server. Being able to observe live processing on an ad hoc basis,
without changing server configuration or shutting-down/restarting the server
process, makes this facility a great configuration and problem resolution tool.
- While virtual service support has been possible for some time, v5.3
extends this with a specific virtual server rule syntax and server startup
procedures easing the support of virtual servers, multiple server processes on
the one system, and multiple server systems within a cluster. Check the new
STARTUP.COM and
STARTUP_SERVER.COM
functionality.
- A new SET mapping rule allows ad hoc characteristics to be set against
a particular path or file template. File caching, stream-LF conversion,
character set, content-type, expiry, invalid-RMS-character can currently be set
on a per-path basis.
- Local-format error reporting, using CGI scripting, Server Side Include
documents, or even "flat" HTML files, can now be configured using
the [ErrorReportPath] configuration directive.
- SSL services may now use a server-common, or each a service-specific
certificate (in line with other virtual service improvements).
- The [AddType] configuration directive now allows a character set to be
specified with the content-type.
- Performance comparisons with OSU 3.3a are provided (as requested by
a few of the curious).
Version 5.2 (September 1998)
- This is really a very minor revision with two bug-fixes. It coincides
with the closing date for OpenVMS Freeware CD V4.
- DECnet scripting now supports connection reuse (as does OSU 3.3a)
improving latency and throughput of network-based CGI and OSU scripting.
The [DECnetReuseLifeTime] and [DECnetConnectListMax] configuration parameters
support this.
- The [AuthRevalidateUserMinutes] configuration parameter specifies
the maximum period between successive authenticated requests before the user is
forced to re-enter the authentication information. Zero disables this
functionality.
- The [LogExcludeHosts] configuration parameter allows certain hosts
or ranges of hosts to be excluded from access logs. This can eliminate the
web-administrator's "noise" accesses, etc.
- The [StreamLFpaths] configuration parameter limits variable record
to stream-LF file conversion to specified paths.
- The [DirNoImpliedWildcard] configuration parameter allows selection of
directory listing behaviour for subdirectories with home pages.
- Improved HyperShelf/HyperReader behaviour in DECW$BOOK environments.
Version 5.1 (July 1998)
- The package's build support and distribution content has undergone a
significant overhaul. VMS V6.0, V6.1, V6.2 through to V7.1 should be supported
(almost) out-of-the box. Executables are no longer provided! All
installations and updates will require a link prior to any other activity.
To assist with this, along with installation and maintenance in
general, two procedures are provided:
- INSTALL.COM
- UPDATE.COM
- The HTTPd itself has generally undergone minimal change. A few
improvements to HTTP behaviour. A small number of bug-fixes.
- The Server Side Includes processor has been considerably extended,
providing facilities similar to Apache's XSSI. User-assignable variables
and the conditional processing of sections of a document provide the main
functionality.
- For servers providing multiple services a per-service access log may
now be generated. See configuration parameter [LogPerService].
- The server now allows a request to specify the content-type of a
returned file.
- Finer control in the use of SYSUAF authentication is now possible
using rights identifiers and the server /SYSUAF=ID qualifier.
- User CGI and OSU scripting is now supported within WASD's DECnet
scripting environment.
- SSL support is now provided using a package based on SSLeay v0.9.0b.
The server will still link and work with the 0.8.1 version.
- WASD script output has been changed to provide a more consistent
look-and-feel, including customizable colour schemes (consult the source
code for more information). Extensive use of HTML 3.2 tables provides heading
and button formatting (in the late '90s we should be expecting at least this
from our GUI browsers, and Lynx v2.8 still reproduces the pages quite
acceptably). A non-table-centric layout is also generally available. Logos and
other non-essential graphics have been eliminated improving the overall
efficiency and responsiveness.
Some scripts have had their behaviour or functionality slightly improved
(or at least changed ;^) In particular, the HyperReader script has
(arguably) better layout, robustness and non-English language document
friendliness.
Version 5.0 (March 1998)
- Secure Sockets Layer protocol (SSL), supported using SSLeay v0.8.1
(optional package).
- DECnet-based CGI and OSU-emulated scripting.
- Directory listing file size may now be configured to display in bytes,
kbytes and Mbytes. I like bytes,
try [DirLayout] I__L__R__S:b__D
- Of course new bugs have been introduced through the ongoing process of
fixing the old bugs, making refinements and introducing new capability
;^)
Version 4.5 (November 1997)
- Configurable, monitorable file data and revision time cache introduced.
- Configurable script run-time environments. Script interpreters such as
Perl may now be transparently activated to execute a particular script.
- Log files may now be configured to change according to a specified
period ... daily, weekly, or monthly, providing some automation in managing
file duration and size.
- Minor bugs fixed and minor refinements made.
-
Everybody else is powered by ... something-or-other, well now
we're
:^)
Version 4.4 (October 1997)
- Due to optimizations in critical sections of the server and the
elimination of debug code from production executables the server's
performance has significantly improved.
- The server can now support multi-homed hosts and multiple-port services
from the one process. Due to changes in connection request processing some
NETLIB supporting TCP/IP packages can no longer provide DNS lookup (it now
occurs at AST level, see the NETLIB documentation).
- Conditional rule mapping; applies rules only after certain criteria
other than the initial path match are met (e.g. client internet address,
browser-prefered language, browser-accepted content-type, browser
identification string, authenticated remote user, HTTP method).
- The server can optionally use the VMS security profile of a
SYSUAF-authenticated user name to determine whether access to a particular file
or directory is permitted.
- Configurable message database, supporting multiple, concurrent
languages.
- In addition to the common log format the server now supports the
common+server and combined pre-defined formats, as well as
user-defined formats.
- Some additional command-line server control functionality.
- Of course, the usual bugfixes (a couple of significant but not obvious
ones this time) and minor refinements.
Version 4.3 (August 1997)
- MadGoat NETLIB support. As well as native Digital TCP/IP Services
(UCX) support the server can now (potentially) support these packages:
- Cisco MultiNet for OpenVMS, any version
- PathWay from Attachmate Inc., any version
- TCPware from Process Software Corporation, any version
- CMU TCP/IP (VAX only) v6.5 or later is not supported due to too
great a variation from the other packages.
- Activity report. This provides a graphical representation of server
activity (requests and bytes transfered) for up to the previous 28 days.
- DCL scripting now has greater CGI compliance. Prior to v4.3 POSTed
scripts would read the request header then the body (i.e. the full
request). The CGI standard is body-only. This is now the default. A
configuration parameter allows the previous behaviour to be explicitly selected.
- Logging can now be enabled and disabled on an ad hoc basis from the
Server Administration Menu.
- Some minor bugfixes and refinements.
Version 4.2 (July 1997)
- Change of name from "HFRD VMS Hypertext Services" to "WASD VMS
Hypertext Services". This follows a change of role and name for the Division.
- CGI scripting redesigned to improve performance through the use of
persistant DCL subprocesses. Some additional configuration parameters support
the reworked DCL module.
- CGIplus scripting (minor extension to standard CGI scripting) to
further improve CGI performance through the use of persistant CGI applications.
- Additional server administration reports on requests (current and
history) and DCL/scripting.
Version 4.1 (April 1997)
- Documentation brought more-or-less :^)
up-to-date.
- HTTP response headers now more consistant.
- Delete-on-close for temporary files. Primarily used by the
UPDate facility for previewing documents. (Beware ... any file name comprising
a leading hyphen, sixteen digits and a trailing hyphen will be deleted on
close!)
Version 4.0 (February 1997)
- Very significant changes to internal data structures and processing.
- Changes to startup and login procedures to more easily support multiple
servers within clusters.
- On-line server administration menu providing reports, configuration and
run-time actions of server. Obsoletes some of the $ HTTPD/DO=...
functionality previously available from the command. More extensive server
reports, and much more, available via /httpd/-/admin/
(obsoletes /httpd/-/report/). These menus and dialogues generally
require an HTML-table-capable browser, such as Netscape Navigator.
- Ability to configure server characterstics requires changes to the
format of the HTTPD$CONFIG and HTTPD$AUTH files. Both are backward compatible,
but if upgrading and using the on-line configuration the format will be changed
the first time they are updated.
- HTTPd server becomes HTTP-cookie-aware.
Version 3.4 (October 1996)
- More extensive server reports (via /httpd/-/report/ ...
obsoleted by v4.0)
- Minor changes to error reporting.
Version 3.3 (August 1996)
- ``Basic'' and ``Digest'' authentication and path authorization. The
digest scheme has, to date, only been tested against NCSA X Mosaic 2.7-4b,
which seems to behave a little flakey when reloading documents, and does
not elegantly support stale nonces.
- A configurable module is provided to automatically convert variable to
stream-LF record format files. The stream format is much more efficiently
processed by the server. (VARIABLE and VFC are read record-by-record, all
others in block mode).
- To allow controlled access using authorization the server report is now
generated via a path, as in the anchor
``<A HREF=/httpd/-/report>'' (obsoleted by v4.0)
Version 3.2 (April 1996)
- The HTTPD$CONF configuration file no longer requires the encoding
directive (7bit, 8bit, binary, etc.). This must be removed before upgrading
from earlier versions. Encoding is now determined from the VMS file record
format (VARIABLE and VFC are read record-by-record, all others in block mode).
- Persistent connections (HTTP/1.0 defacto standard) are now supported
(for the majority of HTTP transactions). This significantly reduces request
network overhead.
Version 3.1 (January 1996)
- Initial GNU Licensed freeware release.
|