Site powered by WASD and VMS   Significant Changes
This page documents changes to the WASD VMS Hypertext Services Package that have some effect on configuration or behaviour. It lists changes from version 3.1 onwards, the first to be made available as freeware.  Updating? Beware!

Version 11.5  (July 2020)

  • WASD – for a quarter century and more – the only Web environment implemented expressly for VMS!
  • Before UNZIPing the v11 package when updating an existing v9.3 or earlier installation ...
    ... see all of the requirements of the v10.0 update, including Updating? Beware!

Let's Encrypt

Have (or want) a TLS/SSL secured site?  Using self-signed or commercial server certificate(s)?  Let's Encrypt makes it possible to obtain and maintain browser-trusted certificates, simply, automatically and at no cost.

See WASD Certificate Management Environment (wuCME) on the download page at:

  • Significant effort has been made to make this release the most stable and performant v11.n so far.
    Performance data have been updated for v11.5 (see 11. Server Performance).
  • Installation, update and configuration information, previously the one document, have been reworked into two.
  • A new DCL procedure [INSTALL]0̷BTAIN.COM (yup, a zero) allows selected portions of the package to be extracted for installation or update.
  • With OpenSSL EOLing v1.0.n at the end of 2019 it is also the final WASD that can be compiled against this stream. Future versions will only build with OpenSSL v1.1.n and later (version 3 is coming!)  VAX releases no longer provide OpenSSL.
  • New SET mapping rules;  response=csp=<policy>, response=cspro=<policy>, and equivalent DCL callouts, CSP: and CSPRO:, supporting Content Security Policy.
  • Additional meta-config conditional;  proctor:, allows a more obvious proctored script mapping than the current request-method:.

Version 11.4  (July 2019)

  • Fundamentally this is a 25th Anniversary release of WASD, rather than any significant leap forward. Essentially v11.3 with a small number of tweaks and fixes applied. In any case, a quarter century of continuous development should not go unremarked.
  • A useful feature available with v11.3 and now expanded and formalised is the system+ report, available from the "+" of the [System+] button of the Server Administration menu, and from the CLI using  $ HTTPD /SYSPLUS
  • There is one significant improvement to the package. However this is largely for maintenance, a new documentation processing system – wasDOC – see rationale and full document.
  • Documentation and all references have been moved from WASD_ROOT:[DOC] to WASD_ROOT:[WASDOC].

Version 11.3  (November 2018)

  • OpenSSL 1.1.n is now supported, with 1.1.1 allowing deployment of TLSv1.3 — a significant upgrade to the protocol. When OpenSSL is installed system-wide, 32bit Crypto and SSL libraries must be provided for the WASD build. Alternatively, a WASD-specific kit providing minimal required OpenSSL v1.1.n resources can be used. OpenSSL 1.1.1 no longer supports any SSL protocol version, only TLS. Note that WASD still can be built against OpenSSL 1.0.2.
  • WASD now uses an internal FILES-11 directory parser that improves the performance of directory listings and internal file name searching.
  • New SET mapping rule;  response=var=[CRLF|LF|NONE]
  • Global configuration directive [BufferQuotaDclOutput] allows sizing of script process SYS$OUTPUT mailbox quota.
  • The CLI command /DO=REQUEST=RUNDOWN results in all current requests being rundown, and /DO=ZERO=STATUS clears the server status line (e.g. -STARTUP- displayed by the HTTPDMON utility.
  • WebDAV has received significant attention with refinements and bugfixes applied.
  • Further server bugfixes and minor enhancements makes this the most functional and stable v11.n (see [SRC.HTTPD]VERSION.H).
  • QDLOGSTATS has had geolocation support refactored as described in the utility code prologue. There is now no default geolocation.

Version 11.2  (March 2018)

  • For bulk script->server data transfer (10s to 100s of MB), throughput improvements up to 5x using a shared memory buffer in lieu of the default mailbox transfer.
  • Applicable to all multi-instance environments, especially for clustered instances, are CLI, Server Admin and HTTPDMON reports providing a snapshot of instance status; most recent startup and exit time and counts, most recent exit status value, preceding minute and sixty minutes request processing counts.
  • Associated with the above status data are server CLI commands; /DO=STATUS a basic report, /DO=STATUS=NOW immediate instance update, /DO=STATUS=PURGE remove stale entries, and /DO=STATUS=RESET remove all entries and allow to repopulate.
  • The CLI command /DO=SSL=CERT=LOAD is now a synonym for /DO=SSL=SERVICE=LOAD[=<host:port>] which will (re)load the configuration file SSL parameters into the existing services, all or if specified, a single service.
  • Display a summary of available /DO=.. commands using /DO=HELP.
  • When shutting down, restarting, loading new rules, and on ad hoc occasions, add informal annotations to the server process log using /NOTE=".." at the command-line, or from the Server Admin page /NOTE=.. can be entered into the /DO= text field (quotes unnecessary).
  • New SET mapping rule;  dir=title=[<integer>|default|owner|remote|this=<string>]
  • User-defined logging directives 'II', 'TI', 'TS' and 'TU'.
  • Proxy tunnels can convey the connecting host and port (client) details into the system via the logical name WASD_TUNNEL using path settings proxy=forwarded=for and proxy=forwarded=address.
  • TLS/SSL Server Admin Report now can be accssed using (appropriately authorised) HTTP. Previously this report was only accessible using HTTPS.
  • The usual collection of server bugfixes and minor enhancements (see [SRC.HTTPD]VERSION.H).

Version 11.1  (May 2017)

  • Consolidates the HTTP/2 protocol introduced with v11.0.
  • TLS/SSL refinements supporting OpenSSL v1.1.1 and TLS 1.3 (available Real Soon Now).
  • TLS/SSL client-based session tickets (used in lieu of server-based session IDs).
  • TLS/SSL default configuration (cipher list and options) maximises security and is compatible with most modern agents (minimum Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8). Ciphers require "Forward Secrecy" and presence of [LOCAL]DH_PARAM_nnnn.PEM safe prime files. To support older clients the configuration must be downgraded. See
  • "Raw"Socket scripting implementation, is a variant of, and is heavily based on, the WASD WebSocket infrastructure. It allows a service (listening host and port) to accept a connection and immediately activate a configured WASD CGIplus script to service that connection. Full-duplex, asynchronous, bidirectional, protocol-agnostic input/output is supported.
  • The CLI command /DO=SSL=CERT=LOAD reloads an SSL service's certificate. Used by wCME to change certificate without server restart.
  • New SET mapping rule;  proxy=header=<name>[=<string>].
  • New configuration directives;  [ServiceRawSocket], [ServiceSSLsessionLifetime], [ServiceSSLverifyPeerDataMax], [SSLsessionLifetime] and [SSLverifyPeerDataMax].
  • User-defined logging directives 'CL' and 'PL'.
  • Script proctor has been extended to allow idle generic processes (cf. persistent scripts and RTEs) to be maintained.
  • Server Admin, Activity Report graphic now implemented using HTML5 canvas.
  • Significant HTTP/2 bugfixes along with the usual collection of server bugfixes and enhancements (see [SRC.HTTPD]VERSION.H).

Version 11.0  (May 2016)

  • HTTP/2 support. Requires OpenSSL 1.0.2 or later. Check related documentation carefully.
  • HTTP Strict Transport Security (HSTS) support for TLS/SSL.
  • Supports building against HP SSL1 V 1.0.
  • No longer (from v11.0.2) supports HP SSL (based on OpenSSL 0.9.8n).
  • New SET mapping rules;  dict=<key>=<value>, http2=protocol=1.1, http2=send=goaway[=<integer>], http2=send=ping, http2=send=reset[=<integer>], http2=write=[low|normal|high], response=sts=<integer>
  • Additional meta-config conditionals;  dict:, http2: and request-protocol:
  • New global configuration directives;  [HTTP2protocol], [HTTP2frameSizeMax], [HTTP2headerListMax], [HTTP2headerTableMax], [HTTP2pingSeconds], [HTTP2streamsMax], [HTTP2initWindowSize], [SSLstrictTransSec], [TimeoutHTTP2idle]
  • New per-service directive [ServiceHTTP2protocol] disables HTTP/2 for that service, and [ServiceSSLstrictTransSec] enables per-service HSTS.
  • A key=value dictionary is available during conditional configuration.
  • An additional CGI "Script-Control:" directive X-http-status=<integer>.
  • X509 certificate processing now supports V3 extensions including Subject Alternative Name (SAN) and (Microsoft) User Principal Name (UPN).
  • Add "Refresh [<integer>] Seconds" selector to appropriate Server Admin reports.
  • WASD v11 can be built and run on VAX but HTTP/2 cannot meaningfully be deployed due to lack of support for ALPN and SNI in available OpenSSL versions.
  • This release (undoubtedly) introduced a number of server bugs along with the significant code refactoring required. Seriously! This should be considered a classic point-zero release and carefully evaluated for production environments.

Version 10.4  (December 2014)

  • Secure Sockets Layer (SSL), and its successor Transport Layer Security (TLS), has undergone some refinement and finally provides WASD_CONFIG_GLOBAL in addition to WASD_CONFIG_SERVICE and /SSL= command-line configuration. WASD now supports only the TLS protocol family by default. Some older clients employing SSL(v3) may fail to connect. The deprecated SSLv3 and obsolete SSLv2 can be re-enabled by configuration.
  • Directory listing (Index of) default is now formatted using HTML tables. This should be completely transparent to the end-user. The mapping set dir=style=anchor[2] can (re)enable the pre-v10.4 listing mechanism.
  • New ?httpd=index directives;  ?httpd=index&font=[inherit|monospace(D)], ?httpd=index&style=table[2] (default).
  • New SET mapping rules;  client=[forwarded|if=forwarded|literal=|reset|if=xforwardedfor|xforwardedfor], dir=font=[inherit|monospace(D)], dir=style=table[2], cors=age=<integer>, cors=cred=[true|false], cors=expose=<string>, cors=headers=<string>, cors=methods=<string>, cors=origin=<string>, ods=name=8bit, ods=name=utf8, ods=name=default, webdav=[no]hidden, webdav=meta=dir=<string>
  • WebDAV now allows metadata files to be placed in one of three configurable locations; with the data file (historic and default), in a subdirectory of the data file directory, or in an independent area of the file-system. NOTE: The location of directory metadata has moved from the parent to the directory itself!
  • Services may explicitly WASD_CONFIG_SERVICE [ServiceBind] to (INADDR_ANY).
  • User-defined logging directives 'CI', 'SR', 'SV' for SSL/TLS cipher, SSL/TLS session reuse and SSL/TLS protocol version items, and COMMON+, COMMON_SERVER+, COMBINED+ composite log formats.
  • The new stream facility provides a lightweight, internally generated response of printable characters or binary octets, at maximum server and platform throughput, for testing or metric purposes.
  • The Conan (VMS Help), HyperSPI, HyperReader and Query scripts have had minor "look-and-feel" updates (a passing nod to the twenty-first century :-)  NOTE: Sites using customised button lists, etc., should assess and if necessary adjust for new interfaces.
  • The calendar, charset, colors, glist and hdisk scripts, along with the gift GIF image code, have been removed from the package. These are also completely removed by the update "cleanup" procedure.
  • A small number of server fixes and minor refinements.

Version 10.3  (October 2013)

  • Secure Sockets Layer implements Server Name Indication (SNI), an extension to the TLS protocol that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number.
  • Directory listing (Index of) icons now uniformly attempt to supply a plain-text version of the file. Some browsers and O/S still insist on ignoring the response-specified content-type! Also see section Faux Extension in Environment Overview.
  • Directory listings can now be sorted other than by name. This JavaScript-enabled capability also allows the listing to be resorted on-page, on-demand, without re-request of the server.
  • New ?httpd=index directives;  ?httpd=index&ilink=[yes|no], ?httpd=index&local=[yes|no], ?httpd=index&override=[yes|no], ?httpd=index&query=<string>, ?httpd=index&style=<which>, ?httpd=index&sort=<char>[+|-], ?httpd=index&target=<string>, ?httpd=index&these=<wildcard1>[,<wildcard2>], and ?httpd=index&versions=<integer>|*
  • A new control file .WWW_WASD that can contain for per-directory application, one or more ?httpd=index directives.
  • New SET mapping rules;  dir=[no]ilink, dir=delimit=<which>, dir=style=sort, dir=style=<which>2, dir=sort=<char>[+|-], dir=target=<string>, dir=these=<wildcard1>[,<wildcard2>], and dir=versions=<integer>|*
  • Keywords added to SET mapping rule;  put=rfm=[fix512|stm|stmcr|stmlf|udf]
  • Keywords added to global configuration directives;  [PutBinaryRFM] [fix512|stm|stmcr|stmlf|udf], to [AddType] ftp: and rfm:.
  • The per-service directive [ServiceNonSSLRedirect] allows a non-SSL request at an SSL service to be redirected to the specified non-SSL service.
  • An authorisation realm read-only group can be specified as an asterisk ("*") to represent that everyone else can read.
  • The persona scripting environment now permits shared UIC accounts (despite being not considered best-practise).
  • GZIP compression now directly supports the GNV LIBZ port via GNV$LIBZSHR32 (WASD checks for WASD_LIBZ_SHR32, then GNV$LIBZSHR32, finally LIBZ_SHR32 logical names).
  • WebDAV on non-EFS (extended file system, i.e. VAX) has received some necessary fixes and refinement. Within the constraints of ODS-2 it now works.
  • There have been a number of fixes and refinements to the WebSocket library.
  • Server generated HTML and miscellaneous documentation has received some refinement making them more compliant to modern practise and standards. Not necessarily perfect but nevertheless improved.
  • And a small number of server fixes and refinements.

Version 10.2  (November 2012)

  • This is essentially a WebSocket maintenance release. There have been a number of fixes and refinements to the library and associated server processing.
  • There is a new, niche authentication mechanism — token.
  • And (of course) a small number of server fixes and refinements.

Version 10.1  (November 2011)

  • Dragged kicking and screaming into the mid-1990s!
    The WASD package used to build to a baseline of VMS V6.0 — it now builds to a baseline of VMS V7.0.
    Of course WASD now also requires a minimum of VMS V7.0 to execute.
  • Secure Sockets Layer now supports SSLv3 and TLSv1 by default (previously SSLv2 and SSLv3). If necessary, the vulnerable and deprecated SSLv2 can be re-enabled using the /SSL= command-line parameter.
  • HTML 5 WebSocket scripting implementation.
  • Considerable effort has gone into eliminating alignment faults on Alpha and Itanium (going from sometimes several hundred per request down to zero). The server also continuously monitors alignment faulting and the Server Admin menu now contains an associated report item (which should always report zero!)
  • Additional meta-config conditionals;  directory:, file: and websocket:
  • Global configuration directives [DclScriptProctor] proactively starts and maintains DCL scripts and scripting environments, [RegEx] enabled/disabled/<keyword>, [ServiceProxyChainCred] up-stream proxy credentials, and [WWWimplied] enabling virtual hosts and to be treated as synonymous.
  • New SET mapping rules;  notimeout (short-hand for timeout=none,none,none), map=uri, proxy=chain=cred=<string>, proxy=tunnel=request=<string>, put=max=<integer> (kbytes), put=max=* (unlimited), regex=<keyword>, script=lifetime=<hh:mm:ss>, service=<keyword>, websocket=<keyword>,
  • New DCL callouts LIFETIME: and SCRIPT-CONTROL:
  • Mapping and authorisation configuration lines beginning "!#" are now displayed in Server Admin reports and are WATCHable during rule processing. This allows meaningful commentary to be displayed within these reports.
  • Command-line checks of configuration files /DO=AUTH=CHECK, /DO=CONFIG=CHECK (all configuration files), /DO=GLOBAL=CHECK, /DO=MAP=CHECK, /DO=MSG=CHECK and /DO=SERVICE=CHECK provide some insurance against fatal configuration errors when restarting.
  • Command-line control of WebSocket connectivity with /DO=WEBSOCKET=DISCONNECT.
  • Proxy tunnel requests can now introduce a mapped request header (see SET above) to be sent to the remote server. This adds considerable flexibility in WASD-to-WASD tunneling.
  • Statistics Report durations no longer include proxy tunnel or WebSocket requests (usually much longer duration) and so more accurately reflect the general Web request response characterstics.
  • IPv6 name resolution is now capable of resolving AAAA records.

Version 10.0  (November 2009)

  • The first entry in the source code version log is "20-JUN-1994, v1.0.0" which puts the v10.0 release well into

    WASD's sixteenth year!

  • Before UNZIPing the v10 package and when updating an existing v9.3 or earlier installation the current root directory must be renamed from HT_ROOT.DIR to WASD_ROOT.DIR. The v10 package uses [WASD_ROOT] as its top-level directory in line with the other naming schema changes employing "WASD". See Updating? Beware!
  • After a development phase rivalling pachyderm gestation WASD finally supports WebDAV 1,2.
  • The schema for logical names has been changed to use a "WASD_" prefix (in as much as possible considering backward-compatibility requirements).
  • Logical names are now (largely) confined to a WASD_TABLE logical name table.
  • Server and scripting process names now contain "WASD" (rather than "HTTPd").
  • ACME authentication DOI name of "*" indicates use the default of ACME$LATEST_ENABLED_AGENT_LIST rather than a specified DOI (authentication realm set to the DOI authentication realm).
  • Global configuration directives [AuthSYSUAFlogonType] allows SYSUAF logon type to be specified, [BufferSizeNetFile] and [BufferSizeNetMTU] allow some scope for tuning transfer buffer size, [HttpTrace] enables/disables HTTP TRACE method, [PutBinaryRFM] configures file record format, [ServiceLogFormat] allows a per-service log format, and [WebDAV...] set various WebDAV characteristics.
  • New SET mapping rules;  css=<URL>, put=max=<kbytes>, put=rfm=[FIX512|STMLF], script=agent=as=<account>, webdav=...
  • Authorization rules using SYSUAF/VMS authentication allows a 'param="logon=type"' to specify the logon type (NETWORK the default, LOCAL, DIALUP, REMOTE) to be restricted against.
  • Services can now identify Secure Shell (SSH) connections. With a suitable client (e.g. PuTTY) this can allow SSH tunnelling through a proxy gateway (i.e. to port 443 and on to an SSH server via SSL proxy).
  • WATCH script item allows a script to detect and respond to being WATCHed.
  • The usual collection of server bugfixes and minor enhancements (see [SRC.HTTPD]VERSION.H).

Version 9.3  (March 2008)

  • WASD licensing has been moved to version 3 of the GNU General Public Licence.
    This is a natural progression from version 2 under which WASD was previously released.
  • Server Admin, Request Report now initially lists only currently processing requests. Persistent connections, are subsequently included from a button at the end of the report. Requests currently under throttle control, and request history are similarly available.
  • WATCH now provides filtering on response HTTP status. Note that this is very late in request processing and so provides limited information. Nevertheless it can be useful for locating requests generating unusual response statuses.
  • HTTPDMON now includes the GZIP compression ratio and any authenticated user name and realm as part of the request data.
  • Global configuration directives [SocketSizeRcvBuf] and [SocketSizeSndBuf] allow socket receive and send buffers to be changed from TCP/IP agent default. WATCH network item displays current (default) values if not set, or values being set.
  • [ServiceProxyAuth] has the additional keyword chain which allows the propagation of proxy authentication credentials to an up-stream proxy server. It is not possible to have multiple, chained proxies require authentication.
  • SYSUAF authentication is now unconditionally performed using ACME ($ACM service) for VMS V7.3 and later on Alpha and Itanium. This obsoletes global configuration directive [AuthSYSUAFuseACME].

    NOTE: The use of SYS$ACM has some implications on sites with some users having a Pathworks account and others relying only on UAF accounts. SYS$ACM fails with "%LOGIN-F-NOLOCAUTH, not authorized to override external authentication" for Pathworks users. Setting SYS$SINGLE_SIGNON to 3 has no effect on that. The only workaround is to set the VMSAUTH flag for each user. (Courtesy Jean-Pierre Petit of ESME-Sudria.)

  • DCL scripting callouts REDACT: and REDACT-SIZE: (see below), NOTICED: (and auth agent NOTICED), OPCOM: (and auth agent OPCOM), and auth agent callout SCRIPT-META.
  • Request redaction allows a scripting process (and authentication agent) to suspend request processing, redirect to another URI, and then resume original (or modified) request processing at a later stage. This facility was introduced to allow PAPI authorization to be supported.
  • A variant authorization realm can now be agent+opaque to implicitly suppress the automatic username/password challenge (saves a /PARAM=NO401 on each path).
  • The usual collection of server bugfixes and minor enhancements (see [SRC.HTTPD]VERSION.H).

Version 9.2  (November 2006)

  • Documentation previously provided as PostScript is now in PDF. This is produced via an intermediate PostScript version generated by DECdocument which is then post-processed using VMS-based Ghostscript (currently AFPL Ghostscript 8.54).
  • Without completely reworking the documentation there has been a significant amount of time spent attempting to ensure it is accurate and up-to-date with some of the more arcane areas simplified and/or expanded.
  • The Server Administration facility now contains an  [Active][Passive]  pair of buttons. On multi-instance sites this allows all but one instance to be made quiescent (not listening for network connections). This can simplify the use of the WATCH facility by "forcing" all requests through the remaining active instance. The equivalent command-line directives are /DO=INSTANCE=ACTIVE and /DO=INSTANCE=PASSIVE.
  • The Server Activity graph now displays network connections, peak and current, and more accurately represents requests, now total, max, peak and current. It also has buttons  [ - ][ + ]  for controlling graph zoom functionality.
  • WATCH reporting has significant enhancements to allow requests to be filtered in or out of the report based on client, service, request header field, path and authentication criteria.
  • Proxy affinity (also known as client to origin affinity, courtesy Jean-Pierre Petit ( uses cookies to allow the proxy server to make every effort to relay successive requests from a given client to the same origin host.
  • A tunnelled, raw (proxy) service request can now be chained to another proxy server, generating an intermediate CONNECT request to navigate through the up-stream proxy server.
  • Access logging now supports an HOURLY period. Also, if access logs are located on an ODS-5 volume the ODS-2 contraints on file name length are relaxed. This allows the full service-host-name components, etc., to be present in the log file name.
  • The authorization realm OPAQUE allows a script to control all aspects of an HTTP authorization interaction with a browser.
  • Additional meta-config conditionals;  server-protocol: and service:?.
  • New global configuration directives;  [InstancePassive], [ProxyConnectTimeoutSeconds] and [ServiceProxyAffinity].
  • New SET mapping rules;  proxy=reverse=[no]auth and proxy=[no]affinity.
  • An eclectic congregation of server bugfixes and minor enhancements (see [SRC.HTTPD]VERSION.H).
  • The [SRC.AGENT] directory contains two versions of working LDAP authentication agents. These rely on the integrated LDAP support available with VMS V7.3 and later.
  • The QDLOGSTATS utility now allows entries to be selected on a date/time since and before specification. This is supported when using the CGI or command-line interface. There have been other minor refinements.
  • The WOTSUP utility has seen significant enhancements. It will now monitor and report all processes supporting multiple instances. HTTP status code monitoring granularity improved so that individual codes can be reported against. Emailed alerts now contain a subject field with an "executive summary" of the contents. Check the source code for more information.
  • A procedure SHUTDOWN.COM is now copied into the [STARTUP] directory during installation. This shuts-down the server and un-INSTALLs WASD-related files and is intended for inclusion in site-specific system shutdown procedures.

Version 9.1  (June 2005)

  • Extensions to GZIP response compression.

    1. Caching of GZIP content removing the need to recompress with each response.
    2. Caching of proxied GZIP responses.
    3. GZIP compression of non-GZIPed proxy responses from proxy server to proxy client.
  • Revised multihomed service processing. This provides better service discrimination and can ease some SSL certificate support constraints across services using the same IP port.
  • Per authenticated user request throttling. This allows control of how many concurrent requests a particular authenticated user can have processing against a particular path. An extension to the existing throttle facility.
  • Additional  /DO=NOTE=string  command-line directive. Provides add hoc administrator data to meta-config conditional rule processing. A quick, neat method for suddenly changing a server's (or cluster of servers') rule processing!
  • Modified  /DO=DCL=[PURGE|DELETE]=[USER|SCRIPT|FILE]=string  and  /DO=THROTTLE=[RELEASE|TERMINATE]=[USER|SCRIPT]=string  directives. These allow free-form parameters to be added to the basic directive (e.g. a username) and are currently restricted to Alpha and Itanium VMS V8.2 platforms (requires the 64 byte lock value block).
  • The Server Administration facility now provides a [/DO=]{<directive>} button and text field to allow the equivalent of entering any /DO= directive at the command-line.
  • The HTTPD$MSG logical name can now contain multiple values allowing a "search list" message file specification where a local file needs only contains a subset of the full number of messages. This will remove the need to merge local and WASD message files whenever a revised one is released.
  • Additional meta-config conditionals;  instance:,  multihome:,  note:,  robin:.
    The robin: conditional provides an interesting processing distribution mechanism.
  • New SET mapping rules  script=control=<..>script=symbol=truncate.
  • Modified SET mapping rule  throttle=<integer>/<integer> to support per authenticated user throttling.
  • The HTTPD$VERIFY logical name may now be defined to contain a dotted-decimal IP address. This confines the  $ SET VERIFY  behaviour to the client with that IP address (more easily allowing script trouble-shooting on a live server).
  • Refined SYSUAF password expiry URL handling.
  • A new utility named WOTSUP is intended for monitoring a WASD server in a production environment and report via OPCOM, email and local-mechanism if there is a real or suspected issue with it's processing. Check the WOTSUP doc (no, not original with me but I can't resist using it :-) in the source code description in the [SRC.UTILS] directory.
  • The UPDATE and INSTALL build procedures now contain an option to build with CPU optimisations (/ARCHITECTURE=HOST). This can provide significant performance improvements.  CAUTION!  In a cluster sharing various Alpha CPU families (e.g. EV4, EV5, EV56, EV6, EV67) this could at best improve the perfomance of some while degrading that of others; at worst it may create an executable incompatible with some members.

Version 9.0  (December 2004)

  • HTTP/1.1 compliance (RFC2616).
  • Persistent connection and request pipelining (tested using Mozilla 1.7) provides significantly and noticably improved performance. Connection persistence is now also supported for SSL, client->proxy and proxy->origin server connections.

    With the very real benefits of HTTP/1.1 connection persistence it may be good policy to extend the HTTPD$CONFIG [TimeoutPersistent] directive (formerly [TimeoutKeepAlive]) to something more like 00:00:30 (thirty seconds). Also monitor [ConnectMax] (formerly [Busy]). This may need to be extended to accomodate an increased number of connections persisting for a longer period.

    BETA testing showed that MSIE (6 at least) connection persistence over SSL could be problematic with [TimeoutPersistent] less than ten seconds.

  • Proxy processing is substantially HTTP/1.1 compliant, proxy caching slightly less so but does not flagrantly flout HTTP/1.1 guidelines. Broader response caching and persistent client->proxy and proxy->origin server connections provide substantial performance improvements.
  • Proxy tunnelling, an extension of the HTTP CONNECT method, allows raw octet connections through WASD to independent applications (e.g. telnet, SMTP servers) and SSL-encrypted octet connections between WASD servers.
  • GZIP request and response content-encoding. In conjunction with the ZLIB v1.2.1 (or later) port by Jean-François Piéronne.
  • New logout functionality associated with [AuthRevalidateUserMinutes] and/or SET auth=revalidate= and "?httpd=logout".
  • Explicit server code optimizations providing tangible performance improvements.
  • The WB (WASD Bench) utility now supports a variety of POST functionality (originally needed to develop and test WASD's HTTP/1.1 chunked transfer-encoding and GZIP content-encoding body processing).
  • The PCACHE utility has been updated to handle v9.0 proxy cache files.
  • A new utility FORMWORK, located in the [SRC.MISC] directory, provides functionality for accepting and processing data POSTed from HTML forms for input into comma-separated (CSV) files. (It was a q&d solution for gathering user-input data on some 6,000 systems at my own site.)
  • CGILIB now has a shareable image on Alpha and IA64 (none is supplied for VAX - too many dependencies). The latest STARTUP.COM defines the system-table logical name WASD_CGILIBSHR32 for this image. Check [SRC.MISC]CGILIB_EXAMPLE.COM for a linkage example.
  • New global configuration directives,  [ConnectMax] (supercedes [Busy]) max concurrent connections,  [EntityTag] enables the generation of file "ETag:", [GzipAccept] accept gzip encoded request bodies,  [GzipResponse] level[,memory,window] gzip encoded responses,  [LogWriteFail503] service unavailable 503 response when access log write fails,  [PipelineRequests] enables pipeline processing,  [ProcessMax] max concurrent requests being processed,  [ProxyCacheNegativeSeconds] for non-success responses,  [ProxyConnectPersistMax] and [ProxyConnectPersistSeconds] for controlling proxy->server connection persistence,  [ServiceProxyTunnel] connect | firewall | raw,  [ServiceClientSSLcert] and others allow outgoing SSL config,  [TimeoutPersistent] supercedes [TimeoutKeepAlive].
  • New SET mapping rules,  script=syntax=[no]unixresponse=gzip=<..>script=body=[no]decodereport=tunnel.
  • An additional CGI "Script-Control:" directive X-content-encoding-gzip[=0|1].

Version 8.5  (June 2004)

  • WASD 10th Anniversary
    Although there had been some coding going on during the previous year, the first official entry in WASD's version log is 20-JUN-1994, v1.0, with the first freeware release some eighteen months later at 03-JAN-1996, v3.1. And it's been under continuous development and refinement (and bugfixing :^) for that full ten years  -  a substantial portion of the entire history of the "Web". Thanks to a whole swag of people for support, suggestions, problem reports and general encouragement; especially to my understanding spouse for her continuing patience.
  • IP version 6 (IPv6) is now supported concurrently with IP version 4 (IPv4). All networking functionality, service creation, proxy HTTP, SSL, FTP and RFC1413 authorization is IPv6 enabled, along with the HTTPDMON and QDLOGSTATS utilities. During the integration of IPv6 the full TCP/IP networking codebase underwent significant refinement. Note that the IPv6 functionality has not been used extensively in the field - use with caution at first!
  • ACME authentication for Alpha VMS 7.3 and later is now available. Two OpenVMS ACME agents are currently available, "VMS" (SYSUAF) and "MSV1_0" (Microsoft domain authentication used by Advanced Server). Others, including Kerberos and LDAP, have been suggested as candidates for development and future release. The [AuthSYSUAFuseACME] configuration directive allows all SYSUAF authentication to be performed by the ACME services on applicable platforms.
  • RMS has been eliminated from file content and proxy cache file access, providing improved latency and efficiency. VAR and VFC record format files are now converted to stream format using non-RMS routines and this alone returns a 600% improvement in throughput (yes 6x!)
  • Path mapping now notes the device on-disk structure (ODS) for all PASS rules and applies that to the syntax of the path being mapped to the file-system. This can still be overridden using SET ods= mapping rules.
  • A scripting process now performs a SET DEFAULT to the directory the script is located in before script activation. The mapping rule SET script=default= allows this to be explicitly set on a per-path basis. A script=default=# mapping suppresses the SET DEFAULT (for backward compatibility).
  • On applicable platforms a scripting process now performs a SET PROCESS /PARSE=EXTENDED or SET PROCESS /PARSE=TRADITIONAL depending on whether the script path is located on an EFS (ODS-5) volume or not.
  • It is now possible to set SSI document parsing availability and capabilities on a per-path basis using SET ssi=exec=<string>.
  • The SET response=[keyword|<string>] rule allows some control over the response header generation.
  • Scripts can now generate SSI markup as output and pass that to the server's internal SSI engine for parsing and subsequent HTML output. The CGI response extension header field Script-Control: X-content-handler: SSI activates this functionality.

Version 8.4  (January 2004)

  • The package now can be deployed on IA64 (Itanium) based systems running HP OpenVMS Industry Standard 64 Evaluation Release Version 8.1. Clusters of Alpha, IA64 and VAX systems can use the one, fully-integrated installation. All supported WASD functionality is present, with additional support package availability (e.g. Perl, PHP) dependent on any underlying software support on the IA64 system. SSL (Secure Socket Layer) functionality can provided through the HP-supplied IA64 SSL product or the WASD OpenSSL kit (for IA64).
  • DCL scripting supports the VMS 7.3-2 (and later) Extended DCL (EDCL) maximum command-line length (4095 characters, up from 255) and symbol size (8192 characters, up from 1024). These extents are of course ultimately constrained by the command mailbox quota (configurable).
  • The server now supports the "Range: bytes=<range>[,<range>]" request header field and will provide a 206 partial content response for non variable record length files and for cached files. The server will also proxy such requests and responses (but does not cache them).
  • The previously file-only caching facility has been extended to allow script, SSI document and even "general network" output optionally to be cached. This is intended to provide efficiencies for sites where relatively static pages are being generated using environments such as PHP and Perl. Additional SET cache= mapping rules allows this to be tailored on a per-path basis.
  • The HTTPD$CONFIG [CacheGuardPeriod] directive allows the default period of fifteen seconds to be extended. This HTTPD$MAP rule SET cache=guard=<period> provides this on a per-path basis. During this period subsequent reloads using request header fields to specify no-caching will not result in the entry being revalidated or flushed.
  • For those that consider a Web server should be a NETWORK service the server process (along with any associated script processes) can now run as network mode. The STARTUP.COM procedure accepts a WASD_NETWORK parameter and starts the detached server using the required /NETWORK qualifier. Scripts requiring to differentiate between standard and DECnet activation may require some minor revision (see CGI_SYMBOLS.COM for one possible mechanism).
  • The $GRANTID system service used to support /NETWORK mode operation requires the server image to be installed with CMKRNL privilege. The revised STARTUP.COM provides this.
  • The /PERSONA=IDENT=<username> facility is now available to those using the PERSONA_MACRO build (required for detached scripting processes under VAX VMS versions earlier than 6.2).
  • Script activation code has been revised to support command-line definition files (.CLD) to specifiy a script. The order in which an un-typed script is now searched for is .COM, .CLD, .EXE and then [DclScriptRunTime] specified.
  • Scripting will now allow parameters to be added to the command-line activation on a per-path basis using the SET script=command=<string> mapping rule.
  • The HTTPD$MSG [Language] directive now allows a specified character set to be associated with that language's messages.
  • Reverse proxy now supports the rewriting of a 302 "Location:.." response URL using the SET proxy=reverse=location=<string> mapping rule.
  • Reverse proxy also supports a specialized authorization and verification scheme known as proxy verify. For detailed information consult the description found in the [SRC.HTTPD]PROXYVERIFY.C module.
  • Some control over the number of concurrent client requests in progress may be exercised using the client_current_gt: conditional to adjust mapping and subsequent processing.
  • New SET mapping rules,  cache=[no]cgicache=expires=<period>cache=[no]filecache=guard=<integer>cache=maxkbytes=<integer>cache=[no]netcache=[no]nphcache=[no]querycache=[no]ssimap=root=<string>map=set=[no]ignoremap=set=[no]requestproxy=reverse=location=<string>proxy=reverse=verifyresponse=header=<[append|full|none]>script=command=<string>.
  • There is a new command-line utility HTADMIN to assist with the maintenance of $HTA authorization databases.
  • There have been some format refinements (or at least changes ;^) to some Server Admin report items.

Version 8.3  (July 2003)

  • WASD string matching (mapping rule, authorization rules, conditionals) now supports Posix EGREP style regular expressions. Must be enabled using the [RegEx] configuration directive and introduced using a leading "^" character.
  • Wildcard string matching (the WASD traditional method) has had efficiency improvements implemented.
  • "Specified" wildcard substitution allows mapping rules to omit some matched portions and change the order of substituted portions when processing result strings.
  • A new Server Administration report menu item [Match]. This provides direct access to the server string matching routines and allows the site administrator to experiment with string matching and substitution.
  • The file cache now allow the storage of permanent entries, as well as the traditional volatile ones. Permanent entries are intended for the most static but frequently accessed of all site files (e.g. site logos, graphics, home pages, etc.) and are not flushed or revalidated in the same way as static ones. The SET cache=perm mapping rule specifies the paths associated with these resources.
  • Additional meta-config conditionals;  notepad:,  regex:,  request:,  restart:.
  • Additional mapping SET rules;  cache=[no]perm,  cache=max=<integer>,  notepad=[+]<string>.
  • Authorization break-in detection and evasion has been reworked so it behaves in the same way as VMS LGI_BRK_LIM, LGI_BRK_TMO and LGI_HID_TIM parameters. Two new parameters, [AuthFailurePeriod] and [AuthFailureTimeout], in addition to the existing [AuthFailureLimit] are used to implement this. If all or any are set to zero they assume the equivalent LGI_.. parameter value.
  • A combination of VMS and rights ID authentication functionality previously not possible is now provided using /SYSUAF=(VMS,ID).
  • The instance functionality introduced with 8.0 has finally demonstrated itself to the author's satisfaction. The test environment is a 4 CPU AlphaServer 4100 running OpenVMS 7.3-1 and Compaq TCP/IP Services 5.3-18. A bug that exhibited itself on multiple CPU systems finally has been identified and fixed.
  • The common and combined log formats now include the HTTP protocol in the request URL. The user format directives now allow 'PR' to specify the same datum.
  • The QDLOGSTATS utility now allows the use of Posix EGREP style regular expressions when matching the various components of the log file.
  • The CGIUTL (v1.10.n) shipping with the 8.3 package has a change in behaviour for /MULTIPART /FIELD=<name> multipart/form-data POST decoding. Previously the representative symbol names were WWW_FORM_name_MIME_data, now they are (the more consistent) CGIUTL_name_MIME_data. Allowing for this change may require modification to scripts that use this functionality.

Version 8.2  (April 2003)

  • New mapping rules, dir=style[=default|original|anchor|htdir], html=[bodytag|header|headertag|footer|footertag]=.., cgiplusin=[none|cr|lf|crlf|eof], proxy=[no]forwarded[=by|for|address], proxy=[no]xforwardedfor[=enabled|address|unknown], script=query=none, script=path=find, script=as=$?, [no]search=none. The plus variation on the exisiting script=params=+(name=value) concatenates to any previously set script parameters.
  • The html= path SETings can be used to set body, header and footer tags and text for incorporation in directory listings, error reports and selected other facilities. These also are available to scripts via the HTML_name CGI variables.
  • Use of SYSUAF authenticated security profile (/PROFILE) against a HTTPD$AUTH path can now be made to be applied via the authorization rule (rather than using the set [no]profile mapping rules). The startup keyword /PROFILE=BYRULE directs the server only to apply security profiles if the authorization rule has such a directive.
  • CGI output processing has been relaxed to accept any CGI response header field in any order provided that one of Content-Type:, Location: or Status: occurs somewhere in the response (i.e. actually is CGI compliant). To allow RTEs to be built using certain processing environments (e.g. PostScript) the CGI engine now will build (no matter how inefficient) single byte records into composite new-line delimited "real" records before processing.
  • Run-Time Environment (RTE) scripting attempts to reuse processes that were previously processing the same script and if possible path (to allow the RTE to cache these if desired). Not finding any available the Least Recently Used (LRU) RTE is then activated in an attempt to allow more recently/frequently ones to keep their cache.
  • The HTML_name CGI variables are available to scripts and Server Side Includes (SSI) documents reflecting the content of any set html= rules, and the GATEWAY_EOF, _EOT and _ESC CGI variables provide the CGI processing sentinal strings to environments that cannot access the contents of the corresponding logical names.
  • HTTPD$MSG message configuration files now allow multiple, comma-separated and wildcard [Language]s to be specified.
  • Authentication agents can issue a "100 REASON any text" callout response to provide an explicit reason for authentication failure.
  • Server processes created during startup under VMS 6.2 and later have a YYYYMMDDHHMMSS timestamp as part of the process (SYS$OUTPUT) log name.
  • A change that occured in OpenSSL 0.9.7 certificate Distinguished Name (DN) record format from /email to /emailAddress is now allowed for.
  • Courtesy of Dick Munroe (; the CGIUTL utility has received some significant enhancements, and conversion utilities (see [EXAMPLE]), and SERVER_NEUTRAL_CGI.COM CGI wrapper (see [SRC.OTHER]).
  • There have been small refinements to the 8.1 environment installation, update and support utilities.
  • The favicon.ico can be mapped into any relevant service using the HTTPD$MAP rule  pass /favicon.ico /wasd_root/favicon.ico
  • Document and script LINK/VLINK colours have been changed to a more muted blue (#0000ff to #0000cc). It was suggested, and I agree, that this is easier on the eye and generally works better.

Version 8.1.1  (January 2003)

  • A minor, couple of bugfixes and documentation release.
  • I didn't what these nuisance-value issues complicating an already significant upgrade. The SECHAN utility during batch startup could prevent the server starting due to an illegal I/O request (enabling ctrl-T). Using the /DO= functionality could occasionally fail with a NOSYSLCK error and report 4294967295 servers notified (hmmm, that seems a magic number ;^)  This was due to a race condition.
  • The set script=query=relaxed mapping rule allows unbalanced name-value pairs in form-url-encoded query strings to be ignored by the server and passed on to the script for processing.
  • The QDLOGSTATS utility has been enhanced.
  • A new method of selectively updating a site's files using a full archive is available using the [INSTALL]SELECT.COM procedure. This will eliminate the need for package update kits to be supplied (saving me time) while still allowing only those files required to be updated to be restored.

Version 8.1  (December 2002)

  • Versions prior to 8.1 have been shown to have some security issues with directory tree structure and permissions, and a too-liberal default ([EXAMPLE]) configuration. Problematic server functionality has also been addressed. Whether updating or installing from scratch, please (re)read the [doc.misc]wasd_advisory_020925.txt and the revised Technical Overview section 5 - Securing The Site. Be prepared for some minor issues related to changes in package security profile.
  • You must use the full environment of 8.1, including the new startup procedures, otherwise package behaviour is indeterminate. Ensure that HTTPD$CONFIG directive [DclDetachProcess] is set to enable to allow the server to use the scripting account (HTTP$NOBODY).
  • A number of problems present in the v8.0 release have been resolved. This includes some bugs but also functionality issues.
  • WASD SSL (Secure Socket Layer) functionality can now be provided through the Compaq SSL for OpenVMS Alpha product on VMS versions 7.2-2 and later. The WASD HTTPd can be compiled against this toolkit, and/or linked against it's sharable libraries. This provides a considerable saving in executable size and memory consumption when multiple SSL application are in use against this product. It also aligns WASD with the emerging Open Source Security architecture for OpenVMS. The WASD OpenSSL kits will continue to be released to support platforms that cannot use the Compaq SSL product.
  • INSTALL and UPDATE procedures now detect SSL toolkits available to WASD and request whether an SSL enabled version of the server should be built. This eliminates the second step of @UPDATE SSL previously required.
  • "Skeleton-Key" authentication has been provided to allow non-configured access to the Server Administration facility for novice administrators on newly installed sites (amongst other uses).
  • ODS-5 (Extended File System) volumes and naming conventions have been supported since their release. Now SRI file name encodings (Process Software MultiNet and TCPware NFS and other utilities), PATHWORKS (4/5) and Advanced Server file name encodings (PATHWORKS 6, also used by Samba on ODS-2) can be converted for direct use and display by the HTTPd. The path settings ODS=2, ODS=5, ODS=ADS (syn. ODS=SMB), ODS=PWK and ODS=SRI control these mappings.
  • DECnet scripting rules can now specify that the script be executed under the account of an authenticated username (e.g. '/NODE"$"::/cgi-bin/'). The set script=as= mapping rule can also now be used with DECnet scripts.
  • The ALERT path setting can now optionally specify when to provide the alert; ALERT=MAP (immediately after mapping), ALERT=AUTH (after any authorization) and ALERT=END (default, at end of request processing).
  • Other new mapping rules, set auth=all, set alert=keyword, set map=ellipsis, set query-string=, set report=4nn=nnn.
  • Additional meta-config conditionals, mapped-path:, path-translated:, script-name:, redirected:, pass:, and additional keywords to ods:.
  • Additional mapping conditionals, [MP], [PA], [PI], [RC], [RU], [ST] that parallel the meta-config conditionals above (yes, I know these are described as obsolete ;^).
  • Scripts may now request the server to generate an error message on it's behalf using extensions to the CGI/1.2 "Script-Control:" response fields. This can give a very consistent look and feel to these responses.
  • New utility SECHAN. This provides a collection of functionalities used to maintain package security and access to various directories and files for server and scripting accounts.
  • Remember that when installing or modifying scripts they need to be copied into [CGI-BIN] and [AXP-BIN or [VAX-BIN] (convenience logical CGI_EXE:) to make them accessable to the server.
  • The Compaq TCP/IP Services ECO that will allow instances to be used in production has not yet been released (see immediately below).

Version 8.0  (July 2002)

  • Instance support, where multiple server processes on a single node participate in an integrated environment (not unlike clustering itself) to share request load, provide rolling restart and a "fail-through" capability. Load sharing allows multi-CPU systems to significantly improve throughput. This instance implementation also provides an enhanced level of cluster-wide serving awareness.  WARNING Compaq TCP/IP Services v5.n (at least) has a problem with socket listen queuing that can cause services to "hang" (should this happen just restart the server). Ensure you have the requisite ECO installed before activating multiple instances on production systems!
  • Mapping and authorization now share a consistent set of conditional rules (similar in intent but different in implementation to the previous mapping-only conditionals) that allows individual or blocks of rules to be conditionally applied depending on request, system, environment and other characteristics.
  • Language-variant documents can be configured and selected by the server depending on client browser language preference settings. For instance, a directory may contain generic (EXAMPLE.HTML), French (EXAMPLE_FR.HTML), English (EXAMPLE_EN.HTML) and German versions (EXAMPLE_DE.HTML) of the same document. As indicated by preferences expressed in the "Accept-Language:" request header field a German client will receive the Deutsch version (EXAMPLE_DE.HTML), French the Française version (EXAMPLE_FR.HTML), etc., with a fallback to the generic if no appropriate document is available or the client has not specified a preference. Can be applied to non-text files.
  • Language character set conversion. Using the VMS standard National Character Set (NCS) conversion library a document's character set may be converted dynamically (and efficiently) from one to another as indicated by preferences in the request "Accept-Charset:" header field. This has particular application for non-Latin-1 sets such as the Cyrillics used by some East European languages.
  • Script response header processing (CGI and NPH detection) has been refined to better handle non-record-oriented responses. This improves behaviour when scripts use the likes of fwrite() under the current DECC-RTL to provide portions of response header fields. It is not a total solution however, with some concessions still required for record-oriented output without explicit carriage-control.
  • Proxy serving now supports FTP.
  • Proxy can also now perform HTTP-to-SSL (Secure Sockets Layer) gatewaying, allowing non-SSL-aware agents access to SSL services, as well as HTTP-to-FTP, SSL-to-HTTP, and other combinations of protocol conversion.
  • Additional configuration directives;  [AuthCacheEntriesMax],  [AuthCacheEntrySize],  [AuthSysUafPwdExpURL],  [AuthSysUafAcceptExpPwd],  [CharsetConvert],  [InstanceMax],  [LogPerInstance],  [ProxyCacheNoReloadSeconds],  [ServiceProxyHttpSsl..],  [SsiSizeMax]
  • Additional mapping SET rules;  alert,  accept=lang,  auth=revalidate=hh:mm:ss,  auth=sysuaf=pwdexpurl=,  dir=access=,  http=accept-charset=,  http=accept-language=,  proxy=bind=IP-address,  proxy=chain=host:port,  script=params=(name=value[,name="quoted value"]). 
    The charset= rule also has an additional behaviour.
  • Mapping SET rules may now be appended to any rule that contains both a template and result. Hence a final match can also be used to set path characteristics as in  pass /documents/* /ods5_device/docs/* ods=5
  • Additional  /DO=INSTANCE=integer  and  /DO=PROXY=STOP=SCAN  command-line directives.
  • The retirement of the WWWRKOUT utility. The addition of two other utilities; WB (WASD Bench, a $QIO-driven analogue to Apache Bench :^) and CALOGS (Consolidate Access LOGS).
  • Request body handling (POST and PUT) has been revised to process the body in discrete chunks eliminating the requirement for the server to buffer the entire content in virtual memory. This effectively removes any processing limitation on request body size.
  • Ever found it annoying not being able to easily read a file you know contains text but they file type is not configured or is configured for something else? Well, from a directory listing just click on the icon. For non-textual file types the icon is now an anchor returning the file as a plain-text document (regardless of it's real content)!
  • Activity statistics are now stored in a permanent global section allowing activity graphs to span startups to a maximum of 28 days activity. Peak load is displayed on the request histogram, and server exit and startup events are indicated using vertical lines of different colours.
  • Plenty of "under-the-hood" changes supporting the new instance functionality and the greater cluster awareness (in preparation for cluster-wide (perhaps even galaxy-wide :^) scripting and other sharing in forthcoming versions).

Version 7.2.1  (November 2001)

  • A minor, basically bugfix release.
  • One notable functionality item, persona scripting support (non-server account) for VAX VMS versions that do not support the $PERSONA services (i.e. 6.0 and 6.1). The PERSONA.MAR module performs a similar function by explicitly manipulating the process structures in kernel mode, operating in a well accepted but basically unsupported fashion! Check the build and scripting documentation for further details.

Version 7.2  (July 2001)

  • X.509 certificate authorization for SSL transactions. This allows authorization credentials to be established via client certificate without the use of username/password dialogs.
  • For SSL servers it is now possible to use private keys without embedded passwords. As the SSL service is started the server prompts via HTTPDMON and OPCOM (if enabled) for the private key password. It can be supplied using a /DO=SSL=KEY=PASSWORD directive.
  • Authorization via the RFC1413 "identification protocol".
  • Remote user to local SYSUAF user "proxy" access.
  • Control of request processing, known as "throttling", sets limits on the number of concurrent requests being processed before new requests are queued. Can be used to limit instances of resource intensive processing as in the case of some scripts, etc.
  • CGIplus/RTE has a lower overhead, higher efficiency and throughput (50% to 100% increase) CGI variable transfer mode. Historically CGI variables have been transfered one per record, now termed "record" mode. It is also possible to transfer variables as a single I/O, or in "struct" mode. CGILIB now enables this by default. Just relink as necessary.
  • Scripts are no longer automatically run-down if a client disconnects while processing. The [DclBitBucketTimeout] period must expire first. This results in most scripts and/or the associated process continuing to be available for use with another request, a significant efficiency improvement.
  • Improved script run-down handling. Scripts executing images are $FORCEXed before processes are deleted, allowing exit handlers to gain control for more elegant releasing of resources, etc.
  • It is now possible to specify a maximum CPU time limit on a per-script basis using the SET SCRIPT=CPU=hh:mm:ss mapping rule. This may be particularly useful in allowing for run-away user scripts.
  • Only selected HTTP status code reports need to be customized using the [ErrorReportPath] directive, those remaining still being handled internally.
  • The EXEC rule now allows not only directories to be specified as script repositories but also file types. This allows files with a particular extension to be designated as executable scripts no matter where that occur in the specified path (and can be used to map ex-Purveyor scripts for example).
  • "Monitor" data and "control" directives (/DO=) now communicate via shared memory in a global section. This is significantly more efficient and versatile. (Note that images must be installed with PRMGBL, SHMEM (VAX only) and SHRGBL).

Version 7.1.1  (January 2001)

  • A minor release corresponding to the closing of OpenVMS Freeware CD V5 submissions.
  • The usual bugfixes :^)
  • CGILIB has been updated for the new CGI interface requirements of Compaq Secure Web Server (CSWS) V1.0-1 (based on Apache 1.3.12).
  • A "standard" area for script scratch space ... with the server cleaning up behind those that fail to. See the Scripting Environment, Introduction.
  • QDLOGSTATS can now be used as a script and will provide an HTML form-based interface page.

Version 7.1  (November 2000)

  • Scripting process creation has been moved from LIB$SPAWN() to SYS$CREPRC(). This allows some interesting new features including detached processes and scripts executing under non-server accounts (on VMS versions 6.2 and later), including user accounts. Subprocess scripting is still the default (i.e. it is backward compatible). Check the "Scripting Overview, Introduction" for the details.
  • Selected server administration menu and command-line /DO= directives can now be simultaneously applied to all servers on a node or across a cluster. To see this in action, even with only one existing server on a single node, do a  $ @HT_ROOT:[000000]FREEWARE_DEMO  and then access the system's server Administration Menu.
  • The server administration menu now provides specific functionality for maintaining service and message configuration.
  • Proxy cache maintenance scans are now cluster-aware. A server undertaking a scan locks the cache, preventing other servers from simultaneously attempting to perform maintenance activities on the cache.
  • Run-Time Environments are a persistant scripting mechanism designed to support interpreters like Perl and Java, with the objective of reducing response latency, increasing throughput and reducing system impact. This version includes an example Perl RTE, which can give a performance improvement of some twenty-five times on standard CGI Perl scripts! For Perl distribution considerations this Perl RTE must be fully compiled and linked locally.
  • A new configuration directive [CgiStrictOutput] introduced in WASD 7.0 directs the server to report script responses that are neither CGI or NPH (i.e. have none or a faulty response header). This is enabled in the 7.n example configuration files. Site administrators that do completely new installations may find their old scripts are now being reported as "ERROR 502 - External agent did not respond (or not acceptably)." Either modify the script to supply an appropriate header (preferable) or disable the configuration directive.
  • There have been some other refinements to the scripting environment and more detailed information provided in the Scripting Overview. It is recommended site administrators and script authors review this.
  • CGILIB has been modified to become an object module/library. Compared to the code #include this is a more elegant method for delivering it's functionality. More significant WASD scripts have been modified to support this version (e.g. Conan, HyperShelf/Reader, WASDquery and others). The #includable functionality is still available.
  • Changes in VMS Apache BETA behaviour between 1.3.9 (T1.3-9AG) and 1.3.12 (1.3-12) make some WASD Server and CGILIB code ineffective. As far as the author can tell there is no way to send a binary stream from a script via T1.3-12. Whether or not future changes to VMS Apache restores this functionality cannot be determined at the current time.
  • The CGIUTL scripting utility has been enhanced so that POSTed request fields containing multiple lines (e.g. <TEXTAREA>s) can be processed into DCL symbols one line per symbol.
  • HyperShelf now allows a URL item type. This allows a URL to be added to an ODL or BookShelf shelf file, providing a direct link to HTML/Web resources external to the local host or Bookreader environment.
  • The FETCH utility FTP processing has undergone a major revision and now should present far fewer issues with some sites.
  • A new utility QDLOGSTATS allows elementary server log statistics to be generated on an ad hoc basis.
  • Built and verified against OpenSSL 0.9.6

Version 7.0  (June 2000)

  • A major release version number change due to more significant changes to some server processing than could be justified as a minor version update.
  • Extended file specification support. Under Alpha VMS V7.2ff the server and relevant scripts are ODS-5 volume compliant. This has a number of implications for server management and user activity. Please read the relevant section of the Technical and Environment Overviews.
  • Built and verified against OpenSSL 0.9.5
  • Some VMS Apache-like CGI scripting compatibility characteristics (based on the 1.3.9 BETA). These are intended to ease (or even remove completely) script portability issues between the WASD and Apache environments. CGILIB has also been modified to support VMS Apache (meaning WASD scripts using CGILIB run unmodified under Apache CGI).
  • The server will now generate OPCOM messages against various categories of events, e.g. server startup/exit, authorization failure, server administration (e.g. mapping reloads, etc.), configured using the [Opcom...] configuration directives.
  • Server error (and success) response page format improved (or at least changed). More Apache-like, consistent, informative and (in the author's opinion) aesthetically pleasing. There is now a simple mechanism (based on per-server configuration or request path SETting) for providing basic or detailed error responses.
  • Three [...BodyTag] directives allow the <BODY> tags of server generated pages (such as error reports, directory listings, etc.) to be specified. This can provide a site with a significantly consistent "look-and-feel". In addition the actual format and contents of server error and success response pages may be specified using the HTTPD$MSG configuration file.
  • The [LogPerService] configuration directive used to generate a log file using only the host name of a service (which can be problematic when virtual services share the same name, e.g. It now generates a unique name based on as much of the full service IP name string as can be accomodated by VMS syntax constraints. Previous behaviours can be retained by enabling [LogPerServiceHostOnly] directive.
  • Cookie-based session tracking is available using the [Track...] directives.
  • The [SearchScriptExclude] directive allows specified file types (extensions) from being processed as implied keyword searches when a query string is present.
  • The directive [AuthRevalidateLoginCookie] activates a cookie-based solution to consecutive authorization dialogs sometimes occuring when [AuthRevalidateUserMinutes] is active.
  • .HTA and .HTL authentication databases require renaming to .$HTA and .$HTL (see Updating? Beware).
  • The update facility has had slight aesthetic improvements (or at least changes) and slightly simplified capabilities.
  • Proxy services may now have proxy authentication applied to them. This controls access to a proxy service using a separate and distinct proxy authentication dialog supported by modern browsers.
  • A new tool, ApacheBench © The Apache Group, as used in the Apache Distribution, is included with this package (within licence conditions). It allows ad hoc server benchmarking and stress-testing (requires VMS 7.n or greater).
  • Additional information and a Perl module for using Perl within the CGIplus environment has been provided.
  • There are now a few coloured icons in the HT_ROOT:[RUNTIME.HTTPD] available if the b/w ones seem a bit lifeless ;^)

Version 6.1  (December 1999)

  • NETLIB is no longer supported/required. The remaining TCP/IP packages for VMS, Compaq TCP/IP (UCX), Multinet and TCPware, all support the BG driver interface (UCX $QIOs) so this can be used exclusively.
  • Authentication agents provide "easily" created, external authentication/authorization functionality. These are essentially CGI/CGIplus scripts (with all the attendant programming simplicity of this environment) specially invoked by the server for authorization purposes. Working examples, including an OSU CEL-compatible authenticator, are provided.
  • CGI and CGIplus scripting support for callouts. These provide direct script-server dialogs, allowing various capabilities.
  • Virtual hosting is far more comprehensive than in the base version of 6.0 (although it was actually reworked for v6.0.2). It now supports mappings against the request "Host:" header field, as well as for multi-homed hosts.
  • OpenSSL v0.9.4 has been built and tested against v6.0 and v6.1, with build and update procedures modified to support it. SSLeay is no longer supported against this version (though may continue to link and work).
  • The Server Side Includes processor now supports OSU-specific directives to provide transparent integration of OSU .HTMLX documents into the WASD environment.
  • A new USER mapping rule provides /~username/ mappings using the default device and directory from the SYSUAF.
  • As from v6.0.2 SYSUAF authentication honours NETWORK and REMOTE access account restrictions a new mechanism was required to support nil-access accounts. This is implemented using a new rights identifier, WASD_NIL_ACCESS.
  • Administration Menu reports now allow a  SHOW PROCESS /ALL  to be performed on HTTPd processes (server, subprocess and DECnet scripts). The latter also allow individual deletion from the same report.
  • The CGILIB source code has been considerably extended to support response generation, CGI callouts, Purveyor environment.
  • The server can be used to cause the browser to cancel authentication against a particular path. Use "/what/ever/path?httpd=cancel", clear the fields and OK it. Then go backwards and access the original path, which should reprompt for authorization.
  • Documentation now only supplied in HTML and PostScript formats. Plain-text and Bookreader formats are no longer generated, to help reduce the size of the distribution, and as a reflection of the diminishing importance of these formats.

Version 6.0  (June 1999)

  • Proxy HTTP and FTP serving, with local HTTP caching.
  • Authentication and authorization environment extension and refinement.
  • Much improved WATCH detail for DCL, SSL and authorization.
  • SSL now supported using the OpenSSL 0.9.3 toolkit (with initial backward compatibility with previous SSLeay releases).

    OpenSSL now has integrated VMS support (largely thanks to Richard Levitte ( WASD SSL packages include only object libraries, application objects, and support procedures (i.e. sufficient to support WASD's SSL). If a full OpenSSL toolkit is desired it should be obtained separately from or and built locally.

      Privacy provided by OpenSSL
  • CGILIB.C source code library for easing the production of CGI C Language scripts.
  • ISAPI scripting environment.
  • New TMAILER script (WASD drop-in replacement for the OSU TMAIL script).
  • New CGIUTL utility, assisting with scripting at the DCL level (particularly processing POSTed requests).
  • Improved FETCH script/utility.
  • Statement concerning Year 2000 and related issues. WASD HTTPd v6.0 has had it's directory listing dates extended to include a four digit year component.

Version 5.3  (November 1998)

  • This release has some internal modifications improving performance and granularity of processing under high loads. CGI scripting performance has also been improved, and CGIplus is 75% faster in response.
  • The WATCH facility, accessable from the administration menu, provides an online, real-time, in-browser-window view of request processing in the running server. Being able to observe live processing on an ad hoc basis, without changing server configuration or shutting-down/restarting the server process, makes this facility a great configuration and problem resolution tool.
  • While virtual service support has been possible for some time, v5.3 extends this with a specific virtual server rule syntax and server startup procedures easing the support of virtual servers, multiple server processes on the one system, and multiple server systems within a cluster. Check the new STARTUP.COM and STARTUP_SERVER.COM functionality.
  • A new SET mapping rule allows ad hoc characteristics to be set against a particular path or file template. File caching, stream-LF conversion, character set, content-type, expiry, invalid-RMS-character can currently be set on a per-path basis.
  • Local-format error reporting, using CGI scripting, Server Side Include documents, or even "flat" HTML files, can now be configured using the [ErrorReportPath] configuration directive.
  • SSL services may now use a server-common, or each a service-specific certificate (in line with other virtual service improvements).
  • The [AddType] configuration directive now allows a character set to be specified with the content-type.
  • Performance comparisons with OSU 3.3a are provided (as requested by a few of the curious).

Version 5.2  (September 1998)

  • This is really a very minor revision with two bug-fixes. It coincides with the closing date for OpenVMS Freeware CD V4.
  • DECnet scripting now supports connection reuse (as does OSU 3.3a) improving latency and throughput of network-based CGI and OSU scripting. The [DECnetReuseLifeTime] and [DECnetConnectListMax] configuration parameters support this.
  • The [AuthRevalidateUserMinutes] configuration parameter specifies the maximum period between successive authenticated requests before the user is forced to re-enter the authentication information. Zero disables this functionality.
  • The [LogExcludeHosts] configuration parameter allows certain hosts or ranges of hosts to be excluded from access logs. This can eliminate the web-administrator's "noise" accesses, etc.
  • The [StreamLFpaths] configuration parameter limits variable record to stream-LF file conversion to specified paths.
  • The [DirNoImpliedWildcard] configuration parameter allows selection of directory listing behaviour for subdirectories with home pages.
  • Improved HyperShelf/HyperReader behaviour in DECW$BOOK environments.

Version 5.1  (July 1998)

  • The package's build support and distribution content has undergone a significant overhaul. VMS V6.0, V6.1, V6.2 through to V7.1 should be supported (almost) out-of-the box. Executables are no longer provided! All installations and updates will require a link prior to any other activity.

    To assist with this, along with installation and maintenance in general, two procedures are provided:

  • The HTTPd itself has generally undergone minimal change. A few improvements to HTTP behaviour. A small number of bug-fixes.
  • The Server Side Includes processor has been considerably extended, providing facilities similar to Apache's XSSI. User-assignable variables and the conditional processing of sections of a document provide the main functionality.
  • For servers providing multiple services a per-service access log may now be generated. See configuration parameter [LogPerService].
  • The server now allows a request to specify the content-type of a returned file.
  • Finer control in the use of SYSUAF authentication is now possible using rights identifiers and the server /SYSUAF=ID qualifier.
  • User CGI and OSU scripting is now supported within WASD's DECnet scripting environment.
  • SSL support is now provided using a package based on SSLeay v0.9.0b. The server will still link and work with the 0.8.1 version.
  • WASD script output has been changed to provide a more consistent look-and-feel, including customizable colour schemes (consult the source code for more information). Extensive use of HTML 3.2 tables provides heading and button formatting (in the late '90s we should be expecting at least this from our GUI browsers, and Lynx v2.8 still reproduces the pages quite acceptably). A non-table-centric layout is also generally available. Logos and other non-essential graphics have been eliminated improving the overall efficiency and responsiveness.

    Some scripts have had their behaviour or functionality slightly improved (or at least changed ;^)  In particular, the HyperReader script has (arguably) better layout, robustness and non-English language document friendliness.

Version 5.0  (March 1998)

  • Secure Sockets Layer protocol (SSL), supported using SSLeay v0.8.1 (optional package).
  • DECnet-based CGI and OSU-emulated scripting.
  • Directory listing file size may now be configured to display in bytes, kbytes and Mbytes. I like bytes, try  [DirLayout] I__L__R__S:b__D
  • Of course new bugs have been introduced through the ongoing process of fixing the old bugs, making refinements and introducing new capability  ;^)

Version 4.5  (November 1997)

  • Configurable, monitorable file data and revision time cache introduced.
  • Configurable script run-time environments. Script interpreters such as Perl may now be transparently activated to execute a particular script.
  • Log files may now be configured to change according to a specified period ... daily, weekly, or monthly, providing some automation in managing file duration and size.
  • Minor bugs fixed and minor refinements made.
  • Everybody else is powered by ... something-or-other, well now we're  Site powered by WASD and VMS  :^)

Version 4.4  (October 1997)

  • Due to optimizations in critical sections of the server and the elimination of debug code from production executables the server's performance has significantly improved.
  • The server can now support multi-homed hosts and multiple-port services from the one process. Due to changes in connection request processing some NETLIB supporting TCP/IP packages can no longer provide DNS lookup (it now occurs at AST level, see the NETLIB documentation).
  • Conditional rule mapping; applies rules only after certain criteria other than the initial path match are met (e.g. client internet address, browser-prefered language, browser-accepted content-type, browser identification string, authenticated remote user, HTTP method).
  • The server can optionally use the VMS security profile of a SYSUAF-authenticated user name to determine whether access to a particular file or directory is permitted.
  • Configurable message database, supporting multiple, concurrent languages.
  • In addition to the common log format the server now supports the common+server and combined pre-defined formats, as well as user-defined formats.
  • Some additional command-line server control functionality.
  • Of course, the usual bugfixes (a couple of significant but not obvious ones this time) and minor refinements.

Version 4.3  (August 1997)

  • MadGoat NETLIB support. As well as native Digital TCP/IP Services (UCX) support the server can now (potentially) support these packages:

    • Cisco MultiNet for OpenVMS, any version
    • PathWay from Attachmate Inc., any version
    • TCPware from Process Software Corporation, any version
    • CMU TCP/IP (VAX only) v6.5 or later is not supported due to too great a variation from the other packages.
  • Activity report. This provides a graphical representation of server activity (requests and bytes transfered) for up to the previous 28 days.
  • DCL scripting now has greater CGI compliance. Prior to v4.3 POSTed scripts would read the request header then the body (i.e. the full request). The CGI standard is body-only. This is now the default. A configuration parameter allows the previous behaviour to be explicitly selected.
  • Logging can now be enabled and disabled on an ad hoc basis from the Server Administration Menu.
  • Some minor bugfixes and refinements.

Version 4.2  (July 1997)

  • Change of name from "HFRD VMS Hypertext Services" to "WASD VMS Hypertext Services". This follows a change of role and name for the Division.
  • CGI scripting redesigned to improve performance through the use of persistant DCL subprocesses. Some additional configuration parameters support the reworked DCL module.
  • CGIplus scripting (minor extension to standard CGI scripting) to further improve CGI performance through the use of persistant CGI applications.
  • Additional server administration reports on requests (current and history) and DCL/scripting.

Version 4.1  (April 1997)

  • Documentation brought more-or-less  :^)  up-to-date.
  • HTTP response headers now more consistant.
  • Delete-on-close for temporary files. Primarily used by the UPDate facility for previewing documents. (Beware ... any file name comprising a leading hyphen, sixteen digits and a trailing hyphen will be deleted on close!)

Version 4.0  (February 1997)

  • Very significant changes to internal data structures and processing.
  • Changes to startup and login procedures to more easily support multiple servers within clusters.
  • On-line server administration menu providing reports, configuration and run-time actions of server. Obsoletes some of the $ HTTPD/DO=... functionality previously available from the command. More extensive server reports, and much more, available via /httpd/-/admin/ (obsoletes /httpd/-/report/). These menus and dialogues generally require an HTML-table-capable browser, such as Netscape Navigator.
  • Ability to configure server characterstics requires changes to the format of the HTTPD$CONFIG and HTTPD$AUTH files. Both are backward compatible, but if upgrading and using the on-line configuration the format will be changed the first time they are updated.
  • HTTPd server becomes HTTP-cookie-aware.

Version 3.4  (October 1996)

  • More extensive server reports (via /httpd/-/report/ ... obsoleted by v4.0)
  • Minor changes to error reporting.

Version 3.3  (August 1996)

  • ``Basic'' and ``Digest'' authentication and path authorization. The digest scheme has, to date, only been tested against NCSA X Mosaic 2.7-4b, which seems to behave a little flakey when reloading documents, and does not elegantly support stale nonces.
  • A configurable module is provided to automatically convert variable to stream-LF record format files. The stream format is much more efficiently processed by the server. (VARIABLE and VFC are read record-by-record, all others in block mode).
  • To allow controlled access using authorization the server report is now generated via a path, as in the anchor ``<A HREF=/httpd/-/report>'' (obsoleted by v4.0)

Version 3.2  (April 1996)

  • The HTTPD$CONF configuration file no longer requires the encoding directive (7bit, 8bit, binary, etc.). This must be removed before upgrading from earlier versions. Encoding is now determined from the VMS file record format (VARIABLE and VFC are read record-by-record, all others in block mode).
  • Persistent connections (HTTP/1.0 defacto standard) are now supported (for the majority of HTTP transactions). This significantly reduces request network overhead.

Version 3.1  (January 1996)

  • Initial GNU Licensed freeware release.