WASD Hypertext Services - Technical Overview

The HTTP server account should be a standard account, preferably in a group of its own (definitely at least a non-system, non-user group), with sufficient quotas to handle the expected traffic.

5.1 - VMS Account

PROCESS QUOTAS: Server process quotas must be sufficient to support the expected traffic load. In particlular PRCLM must support expected script usage. BYTLM, BIOLM, DIOL, FILLM and PGFLQUO are all significant considerations. Symptoms of insufficient process quotas include:

• Textual pages OK, but pages with a significant number of images having some or all "broken".
• Scripts failing mysteriously, particularly when multiple in use concurrently.

  Username: HTTP$SERVER                      Owner:  HyperText Daemon
  Account:  HTTPD                            UIC:    [377,377] ([HTTPD,HTTP$SERVER])
  CLI:      DCL                              Tables: DCLTABLES
  Default:  HT_ROOT:[HTTP$SERVER]
  LGICMD:   LOGIN
  Flags:  Restricted DisNewMail
  Primary days:   Mon Tue Wed Thu Fri
  Secondary days:                     Sat Sun
  Primary   000000000011111111112222  Secondary 000000000011111111112222
  Day Hours 012345678901234567890123  Day Hours 012345678901234567890123
  Network:  ##### Full access ######            ##### Full access ######
  Batch:    ##### Full access ######            ##### Full access ######
  Local:    -----  No access  ------            -----  No access  ------
  Dialup:   -----  No access  ------            -----  No access  ------
  Remote:   -----  No access  ------            -----  No access  ------
  Expiration:            (none)    Pwdminimum:  6   Login Fails:     0
  Pwdlifetime:         90 00:00    Pwdchange:      (pre-expired)
  Last Login:            (none) (interactive), 11-MAY-1995 08:44 (non-interactive)
  Maxjobs:         0  Fillm:       300  Bytlm:       300000
  Maxacctjobs:     0  Shrfillm:      0  Pbytlm:           0
  Maxdetach:       0  BIOlm:       512  JTquota:       1024
  Prclm:         100  DIOlm:       512  WSdef:         1000
  Prio:            4  ASTlm:       600  WSquo:         2000
  Queprio:         0  TQElm:       100  WSextent:     20000
  CPU:        (none)  Enqlm:       256  Pgflquo:     200000
  Authorized Privileges:
    NETMBX    TMPMBX
  Default Privileges:
    NETMBX    TMPMBX

NOTE: Support procedures often change between versions. It is always advisable to check the versions documentation before installing or updating.

Examples may be found in HT_ROOT:[EXAMPLE].

HTTPd Executables

Two server executables are built by the package.

• HTTPD.EXE - This provides native support for Digital TCP/IP services (UCX).
• HTTPD_NETLIB.EXE - This provides NETLIB support for packages other than UCX.

Two additional executables are built by the SSL package (see 10 - Secure Sockets Layer).

• HTTPD_SSL.EXE - This provides SSL for Digital TCP/IP services (UCX).
• HTTPD_SSL_NETLIB.EXE - This provides SSL based on NETLIB, for packages other than UCX.

As this image is to be installed with privileges unauthorized use should be prevented by applying an ACL similar to the following against the executable image:

  $ SET SECURITY HT_EXE:HTTPD.EXE -
    /ACL=((IDENT=HTTP$SERVER,ACCESS=R+E),(IDENT=*,ACCESS=NONE))

This can be done once, at installation, or for peace-of-mind (a.k.a. VMS-ish paranoia) at each server startup.

As the HTTP$SERVER account should be completely unprivileged, and the HTTPd image requires NETMBX, TMPMBX, PRMMBX, PSWAPM, SYSNAM and SYSPRV privileges (see the "Nuts and Bolts" document for a description of how and why the server uses these privileges). It must be installed using a command similar to the following:

  $ INSTALL = "$SYS$SYSTEM:INSTALL/COMMAND_MODE"
  $ INSTALL ADD HT_EXE:HTTPD.EXE /PRIVILEGE=(ALTPRI,PRMMBX,PSWAPM,SYSPRV,SYSNAM) 

The following logical names are essential for the operation of the HTTPd server and must be defined before startup:

• HTTPD$AUTH - location of the authentication/authorization configuration file (defined system-wide, or in the job table if server-specific)

• HTTPD$CONFIG - location of the configuration file (defined system-wide, or in the job table if server-specific)

• HTTPD$MAP - location of the mapping rule file (defined system-wide, or in the job table if server-specific)

• HTTPD$MSG - location of the message file (defined system-wide, or in the job table if server-specific)

• HTTPD$GMT - offset from GMT (e.g. "+10:30", "-01:15"). For systems supporting DTSS (e.g. DECnet-Plus) this logical may be left undefined, with server time being calculated using the SYS$TIMEZONE_DIFFERENTIAL logical.

• HTTPD$LOG - if logging is enabled and no log file name specified on the command line, this logical must be defined to locate the file. When a logging period is in use this logical need only contain the directory used to store the logs.

• HTTPD$SSL_CERT - when using the SSL executable this logical locates the required server certificate.

• CGI-BIN - system logical defining a search list with the architecture-specific executable directory first, local script directory second, then the common script directory, as a concealed device.

• HT_AUTH - directory containing authentication/authorization databases (files)

• HT_EXE - directory containing the executable images

• HT_LOGS - optional definition, for convenient log file specification

• HT_SERVER_LOGS - optional definition, for convenient detached server process log file specification

The following logical name is created by the executing HTTP server and defines the name of the control mailbox:

• HTTPDport$CONTROL

The following logical names are created by the executing HTTP server if the HTTPd monitor utility is enabled:

• HTTPDport$COUNT1
• HTTPDport$COUNT2
• HTTPDport$PID
• HTTPDport$REQUEST

The server process log directory (output for the detached HTTP server processes) may require explicit access controls for the HTTPd account. This can be done by applying an ACL similar to the following:

  $ SET SECURITY HT_ROOT:[LOG]SERVER.DIR -
    /ACL=((IDENT=HTTP$SERVER,ACCESS=R+W+E, OPTIONS=DEFAULT), -
          (IDENT=HTTP$SERVER,ACCESS=R+W+E), -
          (IDENT=*,ACCESS=NONE, OPTIONS=DEFAULT), -
          (IDENT=*,ACCESS=NONE))

As with the ACL on the server executable this can be done once, at installation (or, if right over the top, at each server startup). Appropriate disk quotas may also need to be applied. Also see 5.3.2.6 - Logging.

STARTUP.COM

Putting all this together the HTTP server startup procedure becomes something similar to the supplied example. It should be called from SYSTARTUP_VMS.COM or the site's equivalent.

See HT_ROOT:[EXAMPLE]STARTUP.COM

STARTUP_LOCAL.COM

This file is automatically executed by the STARTUP.COM procedure immediately before the server is actually started. It is provided to supply all the local site's additional startup requirements. Place site-specific server environment startup in here, leaving STARTUP.COM alone as much as possible.

See HT_ROOT:[EXAMPLE]STARTUP_LOCAL.COM

HTTPD_BATCH.COM

This procedure is SUBMITted by the server STARTUP.COM using the HTTP server account, and simply creates a detached process under the control of HTTPD80.COM, or its equivalent. A parameter may be provided to this procedure. This roughly represents the port number of a server but actually represents a file HTTPD'number'.COM which controls a specific server, see below.

See HT_ROOT:[EXAMPLE]HTTPD_BATCH.COM

HTTPD80.COM

This procedure is suggested for controlling the execution of the HTTPd server and it's image. It is run in the detached process created by HTTPD_BATCH.COM. Multiple instances of this file may be created, each having a unique number, for controlling multiple servers, either on an individual node or within a cluster. Actually, just any unique string may be used for indentification.

See HT_ROOT:[EXAMPLE]HTTPD80.COM

LOGIN.COM

This procedure provides the HTTP server account login control.

See HT_ROOT:[EXAMPLE]LOGIN.COM

5.3 - HTTPd Command Line

Command-line qualifiers provide some server startup control as well as server runtime control.

5.3.1 - Server Startup

When starting up the server several characteristics of the server may be specified using qualifiers on the command line. If not specified appropriate defaults are employed.

• /ACCEPT= comma-separated list of hosts/domains allowed to connect to the server

• /AUTHORIZATION=SSL the "SSL" parameter causes all authentication (both SYSUAF and HTA database) to be available only via "https:" requests (see 10 - Secure Sockets Layer)

• /CGI_PREFIX= the prefix to the CGI symbol names created for a script (defaults to "WWW_", similar to the CERN VMS HTTPd, see 12 - Scripting)

• /DO= command to be performed by the executing server (see 5.3.2 - Server Command Line Control)

• /FILBUF= number of bytes in the read buffer for files open for processing (i.e. menu files, image mapping configuration files, pre-processed HTML files, etc., not direct file transfers)

• /FORMAT= overrides the configuration parameter [LogFormat]

• /REJECT= comma-separated list of hosts/domains not allowed to connect to the server

• /[NO]LOG[=name] either disables logging (overrides configuration directive), or enables logging and optionally specifies the log file name (also see section Logical Names, logging is disabled by default). If the file specification is "SYS$OUTPUT" the server issues log entries to <stdout>, allowing user-defined log formats to be easily checked and refined.

• /NETBUF= minimum number of bytes in the network read buffer

• /OUTBUF= number of bytes in the output buffer (for direct file transfers, buffered output from menu interpretation, HTML-preprocessing, etc.)

• /PERIOD= overrides the configuration parameter [LogPeriod]

• /PORT= overrides the configuration parameter [Port] BUT is in turn overridden by the [Service] configuration parameter and /SERVICE= qualifier (is really only useful for use with the /DO= qualifier).

• /PRIORITY= server process priority (default is 4)

• /[NO]PROFILE allows SYSUAF-authenticated username security profiles to be used for file access (see 9.6 - SYSUAF-Authenticated Users

• /PROMISCUOUS[=password] server will accept any authentication username/password pair (used for testing, demonstrations, etc.)

• /SERVICE= comma-separated, list of server services (overrides the [Service] configuration parameter)

• /[NO]SSL[=version] controls Secure Sockets Layer protocol behaviour. The version can be any of "2", "3" or "23" (i.e. both 2 and 3, and the default) specifying which SSL protocol version the server will service.

• /SUBBUF= number bytes in a subprocess' SYS$OUTPUT buffer

• /[NO]SWAP controls whether the server process may be swapped out of the balance set (default is swapping disabled)

• /[NO]SYSUAF[=ID,SSL] allows or disallows (D) username authentication using the server system's SYSUAF (see 9.6 - SYSUAF-Authenticated Users, the optional "SSL" parameter causes SYSUAF authentication to be available only via "https:" requests (see 10 - Secure Sockets Layer), and the optional "ID" parameter makes SYSUAF authentication only available to account possessing a specific identifier. See 9.6 - SYSUAF-Authenticated Users.

• /VERSION merely displays the executable's version string and the copyright notice

Note: buffer sizes apply on a per-request (thread) basis, and may be tailored for specific environments at server startup.

5.3.2 - Server Command Line Control

A foreign command for the HTTPD control functionality will need to be assigned in the adminstration users' LOGIN.COM, for example:

  HTTPD == "$HT_EXE:HTTPD"
  !HTTPD == "$HT_EXE:HTTPD_NETLIB"

Some control of the executing server is available from the DCL command line on the system on which it is executing. This functionality, via the "/DO=" qualifier, is available to the privileged user. If a non-default server port, or multiple servers on the one system are being used, then it will be necessary to provide a "/PORT=" qualifier with any command, and possibly issue it multiple times. Of course, these commands are available from batch jobs as well as interactively.

5.3.2.1 - Accounting

Server counters may be zeroed. These counters are those visible from the statistics admininstration menu item and when using the HTTPDMON utility.

  $ HTTPD /DO=ZERO

See 9 - Authentication and Authorization.

The authorization rule file (HTTP$AUTH) may be reloaded.

  $ HTTPD /DO=AUTH=LOAD

The authentication cache may be purged, resulting in re-authentication for all subsequent authorization-controlled accesses. This may be useful when disabling authorization or if a user has been locked-out due to too many invalid password attempts.

  $ HTTPD /DO=AUTH=PURGE

Server cache control may also be exercised from the server administration menu, see 11 - Server Administration. The file cache (see 13 - Cache) may be enabled, disabled and have it's contents purged (declared invalid and reloaded) using

  $ HTTPD /DO=CACHE=ON
  $ HTTPD /DO=CACHE=OFF
  $ HTTPD /DO=CACHE=PURGE

These commands can be useful for flushing any currently executing CGIplus applications from the server, enabling a new version to be loaded with the next access. See 12 - Scripting.

All scripting subprocesses, busy with a request or not, can be deleted (this may cause the client to lose data).

  $ HTTPD /DO=DCL=DELETE

A gentler alternative is to delete idle subprocesses and mark busy ones for deletion when completed processing.

  $ HTTPD /DO=DCL=PURGE

All DECnet connections, busy with a request or not, can be disconnected (this may cause the client to lose data).

  $ HTTPD /DO=DECNET=DISCONNECT

Purging is a better alternative, disconnecting idle tasks and marking busy ones for disconnection when complete.

  $ HTTPD /DO=DECNET=PURGE

Server logging control may also be exercised from the server administration menu, see 11 - Server Administration.

Open a log file.

  $ HTTPD /DO=LOG=OPEN

Optionally open and specify a log file name. This overrides any /LOG=file-name or HTTPD$LOG specified file name.

  $ HTTPD /DO=LOG=OPEN=file-name

The log file may be closed and reopened using a different name (allowing continuous operation but, for example, with daily log files). This overrides any /LOG=file-name or HTTPD$LOG specified file name.

  $ HTTPD /DO=LOG=REOPEN=file-name

Close the log file.

  $ HTTPD /DO=LOG=CLOSE

Unwritten log records may be flushed to the file.

  $ HTTPD /DO=LOG=FLUSH

The format and period specification of the log may be changed (only takes effect after the next log file open/reopen) using

  $ HTTPD /DO=LOG=FORMAT=string
  $ HTTPD /DO=LOG=PERIOD=string

See 8 - Mapping Rules.

The mapping rule file (HTTP$MAP) may be reloaded.

  $ HTTPD /DO=MAP

Server shutdown may also be exercised from the server administration menu, see 11 - Server Administration.

The server may be shut down, without loss of existing client requests. Connection acceptance is stopped and any existing requests continue to be processed until conclusion.

  $ HTTPD /DO=EXIT

The server may be immediately and unconditionally shut down.

  $ HTTPD /DO=EXIT=NOW

The server may be restarted, without loss of existing client requests. Connection acceptance is stopped and any existing requests continue to be processed until conclusion. This effectively causes the server to exit normally and the DCL wrapper procedure to restart it.

  $ HTTPD /DO=RESTART

This variant restarts the server immediately regardless of existing connections.

  $ HTTPD /DO=RESTART=NOW

A multi-homed host responds to connections for more than one network address. Details on configuring Digital TCP/IP (UCX) for this behaviour may be found in the Digital TCP/IP Management manual, section on "Subnetwork Routing" (3.4.8 in the November 1995 edition) and Digital TCP/IP Management Command Reference, section on "SET INTERFACE" (November 1995 edition). The server configuration parameter [Service] allows for the processing of requests for multiple host-names and/or ports (see 6.2 - Directives) while conditional mapping rules enhance this basic capability (see 8.5 - Conditional Mapping).

Assuming an alternate, unused host name exists (for example):

  $ UCX
  UCX> SET HOST "second.host.name" /ADDRESS=131.185.30.2 /ALIAS=("second","SECOND")
  UCX> [EXIT]
  $

The system IP interface can be determined as follows (in this example it is SE0, the LO0 is the localhost interface):

  UCX> SHOW INTERFACE
                                                             Packets
  Interface   IP_Addr         Network mask          Receive          Send     MTU

   SE0        131.185.30.1    255.255.0.0            595567        262764    1500
   LO0        127.0.0.1       255.0.0.0                   1           573   65535  ?
  UCX> SHOW INTERFACE SE0 /FULL
  Interface: SE0
    IP_Addr: 131.185.30.1      NETWRK: 255.255.0.0       BRDCST: 131.185.255.255
                        Ethernet_Addr: AA-00-04-00-59-04    MTU:  1500
  .
  .
  .
    Restarting attempts                  0
    Successful restarts                  0

Note the network and broadcast masks of the interface above. The basic procedure then is to create a pseudo-interface (the "A" added to the hardware device name) as follows:

  UCX> SET INTERFACE SEA0 /HOST="second" /NET=255.255.0.0 /BROAD=131.185.255.255
  UCX> SET PROTOCOL IP /FORWARD

After the above commands the interfaces should appear as shown below:

  UCX> SHOW INTERFACE
                                                             Packets
  Interface   IP_Addr         Network mask          Receive          Send     MTU

   SE0        131.185.30.1    255.255.0.0            595567        262764    1500
   SEA0       131.185.30.2    255.255.0.0               169            99    1500
   LO0        127.0.0.1       255.0.0.0                   0          2263   65535  ?

These commands can be done interactively, during each startup, or placed in the permanent UCX configuration database once, as follows:

  UCX> SET CONFIG INTERFACE SEA0 /HOST="second" /NET=255.255.0.0 /BROAD=131.185.255.255
  UCX> SET CONFIG PROTOCOL IP /FORWARD

Digital TCP/IP Services v4.1 at least, appears to determine an outgoing connection's originating host address from the IP address of the "highest" pseudo-interface defined (in this case from the SEA0, resulting in an apparent source address of 131.185.30.2). This can cause some confusion on remote hosts as to the origin of a connection, and otherwise be generally undesirable.

A solution appears to be to assign the primary address to the last defined interface. This means the original interface must be removed using a

  UCX> SET CONFIG NOINTERFACE SE0