Significant Changes Significant Changes This page documents changes to the WASD VMS Hypertext Services Package that have some effect on configuration or behaviour. It lists changes from version 3.1 onwards, the first to be made available as freeware. Updating? Beware! Version 10.4 (December 2014) WASD — for two decades and more — the only Web environment implemented expressly for VMS! Before UNZIPing the v10 package when updating an existing v9.3 or earlier installation ... ... see all of the requirements of the v10.0 update, including Updating? Beware! Secure Sockets Layer (SSL), and its successor Transport Layer Security (TLS), has undergone some refinement and finally provides WASD_CONFIG_GLOBAL in addition to WASD_CONFIG_SERVICE and /SSL= command-line configuration. WASD now supports only the TLS protocol family by default. Some older clients employing SSL(v3) may fail to connect. The deprecated SSLv3 and obsolete SSLv2 can be re-enabled by configuration. Directory listing (Index of) default is now formatted using HTML tables. This should be completely transparent to the end-user. The mapping set dir=style=anchor[2] can (re)enable the pre-v10.4 listing mechanism. New ?httpd=index directives; ?httpd=index&font=[inherit|monospace(D)], ?httpd=index&style=table[2] (default). New SET mapping rules; client=[forwarded|if=forwarded|literal=|reset|if=xforwardedfor|xforwardedfor], dir=font=[inherit|monospace(D)], dir=style=table[2], cors=age=
, cors=cred=[true|false], cors=expose=, cors=headers=, cors=methods=, cors=origin=, ods=name=8bit, ods=name=utf8, ods=name=default, webdav=[no]hidden, webdav=meta=dir= WebDAV now allows metadata files to be placed in one of three configurable locations; with the data file (historic and default), in a subdirectory of the data file directory, or in an independent area of the file-system. NOTE: The location of directory metadata has moved from the parent to the directory itself! Services may explicitly WASD_CONFIG_SERVICE [ServiceBind] to 0.0.0.0 (INADDR_ANY). User-defined logging directives 'CI', 'SR', 'SV' for SSL/TLS cipher, SSL/TLS session reuse and SSL/TLS protocol version items, and COMMON+, COMMON_SERVER+, COMBINED+ composite log formats. The new stream facility provides a lightweight, internally generated response of printable characters or binary octets, at maximum server and platform throughput, for testing or metric purposes. The Conan (VMS Help), HyperSPI, HyperReader and Query scripts have had minor "look-and-feel" updates (a passing nod to the twenty-first century :-) NOTE: Sites using customised button lists, etc., should assess and if necessary adjust for new interfaces. The calendar, charset, colors, glist and hdisk scripts, along with the gift GIF image code, have been removed from the package. These are also completely removed by the update "cleanup" procedure. A small number of server fixes and minor refinements. Version 10.3 (October 2013) Secure Sockets Layer implements Server Name Indication (SNI), an extension to the TLS protocol that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number. Directory listing (Index of) icons now uniformly attempt to supply a plain-text version of the file. Some browsers and O/S still insist on ignoring the response-specified content-type! Also see section Faux Extension in Environment Overview. Directory listings can now be sorted other than by name. This JavaScript-enabled capability also allows the listing to be resorted on-page, on-demand, without re-request of the server. New ?httpd=index directives; ?httpd=index&ilink=[yes|no], ?httpd=index&local=[yes|no], ?httpd=index&override=[yes|no], ?httpd=index&query=, ?httpd=index&style=, ?httpd=index&sort=[+|-], ?httpd=index&target=, ?httpd=index&these=[,], and ?httpd=index&versions=|* A new control file .WWW_WASD that can contain for per-directory application, one or more ?httpd=index directives. New SET mapping rules; dir=[no]ilink, dir=delimit=, dir=style=sort, dir=style=2, dir=sort=[+|-], dir=target=, dir=these=[,], and dir=versions=|* Keywords added to SET mapping rule; put=rfm=[fix512|stm|stmcr|stmlf|udf] Keywords added to global configuration directives; [PutBinaryRFM] [fix512|stm|stmcr|stmlf|udf], to [AddType] ftp: and rfm:. The per-service directive [ServiceNonSSLRedirect] allows a non-SSL request at an SSL service to be redirected to the specified non-SSL service. An authorisation realm read-only group can be specified as an asterisk ("*") to represent that everyone else can read. The persona scripting environment now permits shared UIC accounts (despite being not considered best-practise). GZIP compression now directly supports the GNV LIBZ port via GNV$LIBZSHR32 (WASD checks for WASD_LIBZ_SHR32, then GNV$LIBZSHR32, finally LIBZ_SHR32 logical names). WebDAV on non-EFS (extended file system, i.e. VAX) has received some necessary fixes and refinement. Within the constraints of ODS-2 it now works. There have been a number of fixes and refinements to the WebSocket library. Server generated HTML and miscellaneous documentation has received some refinement making them more compliant to modern practise and standards. Not necessarily perfect but nevertheless improved. And a small number of server fixes and refinements. Version 10.2 (November 2012) This is essentially a WebSocket maintenance release. There have been a number of fixes and refinements to the library and associated server processing. There is a new, niche authentication mechanism — token. And (of course) a small number of server fixes and refinements. Version 10.1 (November 2011) Dragged kicking and screaming into the mid-1990s! The WASD package used to build to a baseline of VMS V6.0 — it now builds to a baseline of VMS V7.0. Of course WASD now also requires a minimum of VMS V7.0 to execute. Secure Sockets Layer now supports SSLv3 and TLSv1 by default (previously SSLv2 and SSLv3). If necessary, the vulnerable and deprecated SSLv2 can be re-enabled using the /SSL= command-line parameter. HTML 5 WebSocket scripting implementation. Considerable effort has gone into eliminating alignment faults on Alpha and Itanium (going from sometimes several hundred per request down to zero). The server also continuously monitors alignment faulting and the Server Admin menu now contains an associated report item (which should always report zero!) Additional meta-config conditionals; directory:, file: and websocket: Global configuration directives [DclScriptProctor] proactively starts and maintains DCL scripts and scripting environments, [RegEx] enabled/disabled/, [ServiceProxyChainCred] up-stream proxy credentials, and [WWWimplied] enabling virtual hosts host.name and www.host.name to be treated as synonymous. New SET mapping rules; notimeout (short-hand for timeout=none,none,none), map=uri, proxy=chain=cred=, proxy=tunnel=request=, put=max= (kbytes), put=max=* (unlimited), regex=, script=lifetime=, service=, websocket=, New DCL callouts LIFETIME: and SCRIPT-CONTROL: Mapping and authorisation configuration lines beginning "!#" are now displayed in Server Admin reports and are WATCHable during rule processing. This allows meaningful commentary to be displayed within these reports. Command-line checks of configuration files /DO=AUTH=CHECK, /DO=CONFIG=CHECK (all configuration files), /DO=GLOBAL=CHECK, /DO=MAP=CHECK, /DO=MSG=CHECK and /DO=SERVICE=CHECK provide some insurance against fatal configuration errors when restarting. Command-line control of WebSocket connectivity with /DO=WEBSOCKET=DISCONNECT. Proxy tunnel requests can now introduce a mapped request header (see SET above) to be sent to the remote server. This adds considerable flexibility in WASD-to-WASD tunneling. Statistics Report durations no longer include proxy tunnel or WebSocket requests (usually much longer duration) and so more accurately reflect the general Web request response characterstics. IPv6 name resolution is now capable of resolving AAAA records. Version 10.0 (November 2009) The first entry in the source code version log is "20-JUN-1994, v1.0.0" which puts the v10.0 release well into WASD's sixteenth year! Before UNZIPing the v10 package and when updating an existing v9.3 or earlier installation the current root directory must be renamed from HT_ROOT.DIR to WASD_ROOT.DIR. The v10 package uses [WASD_ROOT] as its top-level directory in line with the other naming schema changes employing "WASD". See Updating? Beware! After a development phase rivalling pachyderm gestation WASD finally supports WebDAV 1,2. The schema for logical names has been changed to use a "WASD_" prefix (in as much as possible considering backward-compatibility requirements). Logical names are now (largely) confined to a WASD_TABLE logical name table. Server and scripting process names now contain "WASD" (rather than "HTTPd"). ACME authentication DOI name of "*" indicates use the default of ACME$LATEST_ENABLED_AGENT_LIST rather than a specified DOI (authentication realm set to the DOI authentication realm). Global configuration directives [AuthSYSUAFlogonType] allows SYSUAF logon type to be specified, [BufferSizeNetFile] and [BufferSizeNetMTU] allow some scope for tuning transfer buffer size, [HttpTrace] enables/disables HTTP TRACE method, [PutBinaryRFM] configures file record format, [ServiceLogFormat] allows a per-service log format, and [WebDAV...] set various WebDAV characteristics. New SET mapping rules; css=, put=max=, put=rfm=[FIX512|STMLF], script=agent=as=, webdav=... Authorization rules using SYSUAF/VMS authentication allows a 'param="logon=type"' to specify the logon type (NETWORK the default, LOCAL, DIALUP, REMOTE) to be restricted against. Services can now identify Secure Shell (SSH) connections. With a suitable client (e.g. PuTTY) this can allow SSH tunnelling through a proxy gateway (i.e. to port 443 and on to an SSH server via SSL proxy). WATCH script item allows a script to detect and respond to being WATCHed. The usual collection of server bugfixes and minor enhancements (see [SRC.HTTPD]VERSION.H). Version 9.3 (March 2008) WASD licensing has been moved to version 3 of the GNU General Public Licence. This is a natural progression from version 2 under which WASD was previously released. Server Admin, Request Report now initially lists only currently processing requests. Persistent connections, are subsequently included from a button at the end of the report. Requests currently under throttle control, and request history are similarly available. WATCH now provides filtering on response HTTP status. Note that this is very late in request processing and so provides limited information. Nevertheless it can be useful for locating requests generating unusual response statuses. HTTPDMON now includes the GZIP compression ratio and any authenticated user name and realm as part of the request data. Global configuration directives [SocketSizeRcvBuf] and [SocketSizeSndBuf] allow socket receive and send buffers to be changed from TCP/IP agent default. WATCH network item displays current (default) values if not set, or values being set. [ServiceProxyAuth] has the additional keyword chain which allows the propagation of proxy authentication credentials to an up-stream proxy server. It is not possible to have multiple, chained proxies require authentication. SYSUAF authentication is now unconditionally performed using ACME ($ACM service) for VMS V7.3 and later on Alpha and Itanium. This obsoletes global configuration directive [AuthSYSUAFuseACME]. NOTE: The use of SYS$ACM has some implications on sites with some users having a Pathworks account and others relying only on UAF accounts. SYS$ACM fails with "%LOGIN-F-NOLOCAUTH, not authorized to override external authentication" for Pathworks users. Setting SYS$SINGLE_SIGNON to 3 has no effect on that. The only workaround is to set the VMSAUTH flag for each user. (Courtesy Jean-Pierre Petit of ESME-Sudria.) DCL scripting callouts REDACT: and REDACT-SIZE: (see below), NOTICED: (and auth agent NOTICED), OPCOM: (and auth agent OPCOM), and auth agent callout SCRIPT-META. Request redaction allows a scripting process (and authentication agent) to suspend request processing, redirect to another URI, and then resume original (or modified) request processing at a later stage. This facility was introduced to allow PAPI authorization to be supported. A variant authorization realm can now be agent+opaque to implicitly suppress the automatic username/password challenge (saves a /PARAM=NO401 on each path). The usual collection of server bugfixes and minor enhancements (see [SRC.HTTPD]VERSION.H). Version 9.2 (November 2006) Documentation previously provided as PostScript is now in PDF. This is produced via an intermediate PostScript version generated by DECdocument which is then post-processed using VMS-based Ghostscript (currently AFPL Ghostscript 8.54). Without completely reworking the documentation there has been a significant amount of time spent attempting to ensure it is accurate and up-to-date with some of the more arcane areas simplified and/or expanded. The Server Administration facility now contains an [Active][Passive] pair of buttons. On multi-instance sites this allows all but one instance to be made quiescent (not listening for network connections). This can simplify the use of the WATCH facility by "forcing" all requests through the remaining active instance. The equivalent command-line directives are /DO=INSTANCE=ACTIVE and /DO=INSTANCE=PASSIVE. The Server Activity graph now displays network connections, peak and current, and more accurately represents requests, now total, max, peak and current. It also has buttons [ - ][ + ] for controlling graph zoom functionality. WATCH reporting has significant enhancements to allow requests to be filtered in or out of the report based on client, service, request header field, path and authentication criteria. Proxy affinity (also known as client to origin affinity, courtesy Jean-Pierre Petit (jpp@esme.fr)) uses cookies to allow the proxy server to make every effort to relay successive requests from a given client to the same origin host. A tunnelled, raw (proxy) service request can now be chained to another proxy server, generating an intermediate CONNECT request to navigate through the up-stream proxy server. Access logging now supports an HOURLY period. Also, if access logs are located on an ODS-5 volume the ODS-2 contraints on file name length are relaxed. This allows the full service-host-name components, etc., to be present in the log file name. The authorization realm OPAQUE allows a script to control all aspects of an HTTP authorization interaction with a browser. Additional meta-config conditionals; server-protocol: and service:?. New global configuration directives; [InstancePassive], [ProxyConnectTimeoutSeconds] and [ServiceProxyAffinity]. New SET mapping rules; proxy=reverse=[no]auth and proxy=[no]affinity. An eclectic congregation of server bugfixes and minor enhancements (see [SRC.HTTPD]VERSION.H). The [SRC.AGENT] directory contains two versions of working LDAP authentication agents. These rely on the integrated LDAP support available with VMS V7.3 and later. The QDLOGSTATS utility now allows entries to be selected on a date/time since and before specification. This is supported when using the CGI or command-line interface. There have been other minor refinements. The WOTSUP utility has seen significant enhancements. It will now monitor and report all processes supporting multiple instances. HTTP status code monitoring granularity improved so that individual codes can be reported against. Emailed alerts now contain a subject field with an "executive summary" of the contents. Check the source code for more information. A procedure SHUTDOWN.COM is now copied into the [STARTUP] directory during installation. This shuts-down the server and un-INSTALLs WASD-related files and is intended for inclusion in site-specific system shutdown procedures. Version 9.1 (June 2005) Extensions to GZIP response compression. Caching of GZIP content removing the need to recompress with each response. Caching of proxied GZIP responses. GZIP compression of non-GZIPed proxy responses from proxy server to proxy client. Revised multihomed service processing. This provides better service discrimination and can ease some SSL certificate support constraints across services using the same IP port. Per authenticated user request throttling. This allows control of how many concurrent requests a particular authenticated user can have processing against a particular path. An extension to the existing throttle facility. Additional /DO=NOTE=string command-line directive. Provides add hoc administrator data to meta-config conditional rule processing. A quick, neat method for suddenly changing a server's (or cluster of servers') rule processing! Modified /DO=DCL=[PURGE|DELETE]=[USER|SCRIPT|FILE]=string and /DO=THROTTLE=[RELEASE|TERMINATE]=[USER|SCRIPT]=string directives. These allow free-form parameters to be added to the basic directive (e.g. a username) and are currently restricted to Alpha and Itanium VMS V8.2 platforms (requires the 64 byte lock value block). The Server Administration facility now provides a [/DO=]{} button and text field to allow the equivalent of entering any /DO= directive at the command-line. The HTTPD$MSG logical name can now contain multiple values allowing a "search list" message file specification where a local file needs only contains a subset of the full number of messages. This will remove the need to merge local and WASD message files whenever a revised one is released. Additional meta-config conditionals; instance:, multihome:, note:, robin:. The robin: conditional provides an interesting processing distribution mechanism. New SET mapping rules script=control=<..>, script=symbol=truncate. Modified SET mapping rule throttle=/ to support per authenticated user throttling. The HTTPD$VERIFY logical name may now be defined to contain a dotted-decimal IP address. This confines the $ SET VERIFY behaviour to the client with that IP address (more easily allowing script trouble-shooting on a live server). Refined SYSUAF password expiry URL handling. A new utility named WOTSUP is intended for monitoring a WASD server in a production environment and report via OPCOM, email and local-mechanism if there is a real or suspected issue with it's processing. Check the WOTSUP doc (no, not original with me but I can't resist using it :-) in the source code description in the [SRC.UTILS] directory. The UPDATE and INSTALL build procedures now contain an option to build with CPU optimisations (/ARCHITECTURE=HOST). This can provide significant performance improvements. CAUTION! In a cluster sharing various Alpha CPU families (e.g. EV4, EV5, EV56, EV6, EV67) this could at best improve the perfomance of some while degrading that of others; at worst it may create an executable incompatible with some members. Version 9.0 (December 2004) HTTP/1.1 compliance (RFC2616). Persistent connection and request pipelining (tested using Mozilla 1.7) provides significantly and noticably improved performance. Connection persistence is now also supported for SSL, client->proxy and proxy->origin server connections. With the very real benefits of HTTP/1.1 connection persistence it may be good policy to extend the HTTPD$CONFIG [TimeoutPersistent] directive (formerly [TimeoutKeepAlive]) to something more like 00:00:30 (thirty seconds). Also monitor [ConnectMax] (formerly [Busy]). This may need to be extended to accomodate an increased number of connections persisting for a longer period. BETA testing showed that MSIE (6 at least) connection persistence over SSL could be problematic with [TimeoutPersistent] less than ten seconds. Proxy processing is substantially HTTP/1.1 compliant, proxy caching slightly less so but does not flagrantly flout HTTP/1.1 guidelines. Broader response caching and persistent client->proxy and proxy->origin server connections provide substantial performance improvements. Proxy tunnelling, an extension of the HTTP CONNECT method, allows raw octet connections through WASD to independent applications (e.g. telnet, SMTP servers) and SSL-encrypted octet connections between WASD servers. GZIP request and response content-encoding. In conjunction with the ZLIB v1.2.1 (or later) port by Jean-François Piéronne. New logout functionality associated with [AuthRevalidateUserMinutes] and/or SET auth=revalidate= and "?httpd=logout". Explicit server code optimizations providing tangible performance improvements. The WB (WASD Bench) utility now supports a variety of POST functionality (originally needed to develop and test WASD's HTTP/1.1 chunked transfer-encoding and GZIP content-encoding body processing). The PCACHE utility has been updated to handle v9.0 proxy cache files. A new utility FORMWORK, located in the [SRC.MISC] directory, provides functionality for accepting and processing data POSTed from HTML forms for input into comma-separated (CSV) files. (It was a q&d solution for gathering user-input data on some 6,000 systems at my own site.) CGILIB now has a shareable image on Alpha and IA64 (none is supplied for VAX - too many dependencies). The latest STARTUP.COM defines the system-table logical name WASD_CGILIBSHR32 for this image. Check [SRC.MISC]CGILIB_EXAMPLE.COM for a linkage example. New global configuration directives, [ConnectMax] (supercedes [Busy]) max concurrent connections, [EntityTag] enables the generation of file "ETag:", [GzipAccept] accept gzip encoded request bodies, [GzipResponse] level[,memory,window] gzip encoded responses, [LogWriteFail503] service unavailable 503 response when access log write fails, [PipelineRequests] enables pipeline processing, [ProcessMax] max concurrent requests being processed, [ProxyCacheNegativeSeconds] for non-success responses, [ProxyConnectPersistMax] and [ProxyConnectPersistSeconds] for controlling proxy->server connection persistence, [ServiceProxyTunnel] connect | firewall | raw, [ServiceClientSSLcert] and others allow outgoing SSL config, [TimeoutPersistent] supercedes [TimeoutKeepAlive]. New SET mapping rules, script=syntax=[no]unix, response=gzip=<..>, script=body=[no]decode, report=tunnel. An additional CGI "Script-Control:" directive X-content-encoding-gzip[=0|1]. Version 8.5 (June 2004) WASD 10th Anniversary Although there had been some coding going on during the previous year, the first official entry in WASD's version log is 20-JUN-1994, v1.0, with the first freeware release some eighteen months later at 03-JAN-1996, v3.1. And it's been under continuous development and refinement (and bugfixing :^) for that full ten years - a substantial portion of the entire history of the "Web". Thanks to a whole swag of people for support, suggestions, problem reports and general encouragement; especially to my understanding spouse for her continuing patience. IP version 6 (IPv6) is now supported concurrently with IP version 4 (IPv4). All networking functionality, service creation, proxy HTTP, SSL, FTP and RFC1413 authorization is IPv6 enabled, along with the HTTPDMON and QDLOGSTATS utilities. During the integration of IPv6 the full TCP/IP networking codebase underwent significant refinement. Note that the IPv6 functionality has not been used extensively in the field - use with caution at first! ACME authentication for Alpha VMS 7.3 and later is now available. Two OpenVMS ACME agents are currently available, "VMS" (SYSUAF) and "MSV1_0" (Microsoft domain authentication used by Advanced Server). Others, including Kerberos and LDAP, have been suggested as candidates for development and future release. The [AuthSYSUAFuseACME] configuration directive allows all SYSUAF authentication to be performed by the ACME services on applicable platforms. RMS has been eliminated from file content and proxy cache file access, providing improved latency and efficiency. VAR and VFC record format files are now converted to stream format using non-RMS routines and this alone returns a 600% improvement in throughput (yes 6x!) Path mapping now notes the device on-disk structure (ODS) for all PASS rules and applies that to the syntax of the path being mapped to the file-system. This can still be overridden using SET ods= mapping rules. A scripting process now performs a SET DEFAULT to the directory the script is located in before script activation. The mapping rule SET script=default= allows this to be explicitly set on a per-path basis. A script=default=# mapping suppresses the SET DEFAULT (for backward compatibility). On applicable platforms a scripting process now performs a SET PROCESS /PARSE=EXTENDED or SET PROCESS /PARSE=TRADITIONAL depending on whether the script path is located on an EFS (ODS-5) volume or not. It is now possible to set SSI document parsing availability and capabilities on a per-path basis using SET ssi=exec=. The SET response=[keyword|] rule allows some control over the response header generation. Scripts can now generate SSI markup as output and pass that to the server's internal SSI engine for parsing and subsequent HTML output. The CGI response extension header field Script-Control: X-content-handler: SSI activates this functionality. Version 8.4 (January 2004) The package now can be deployed on IA64 (Itanium) based systems running HP OpenVMS Industry Standard 64 Evaluation Release Version 8.1. Clusters of Alpha, IA64 and VAX systems can use the one, fully-integrated installation. All supported WASD functionality is present, with additional support package availability (e.g. Perl, PHP) dependent on any underlying software support on the IA64 system. SSL (Secure Socket Layer) functionality can provided through the HP-supplied IA64 SSL product or the WASD OpenSSL kit (for IA64). DCL scripting supports the VMS 7.3-2 (and later) Extended DCL (EDCL) maximum command-line length (4095 characters, up from 255) and symbol size (8192 characters, up from 1024). These extents are of course ultimately constrained by the command mailbox quota (configurable). The server now supports the "Range: bytes=[,]" request header field and will provide a 206 partial content response for non variable record length files and for cached files. The server will also proxy such requests and responses (but does not cache them). The previously file-only caching facility has been extended to allow script, SSI document and even "general network" output optionally to be cached. This is intended to provide efficiencies for sites where relatively static pages are being generated using environments such as PHP and Perl. Additional SET cache= mapping rules allows this to be tailored on a per-path basis. The HTTPD$CONFIG [CacheGuardPeriod] directive allows the default period of fifteen seconds to be extended. This HTTPD$MAP rule SET cache=guard= provides this on a per-path basis. During this period subsequent reloads using request header fields to specify no-caching will not result in the entry being revalidated or flushed. For those that consider a Web server should be a NETWORK service the server process (along with any associated script processes) can now run as network mode. The STARTUP.COM procedure accepts a WASD_NETWORK parameter and starts the detached server using the required /NETWORK qualifier. Scripts requiring to differentiate between standard and DECnet activation may require some minor revision (see CGI_SYMBOLS.COM for one possible mechanism). The $GRANTID system service used to support /NETWORK mode operation requires the server image to be installed with CMKRNL privilege. The revised STARTUP.COM provides this. The /PERSONA=IDENT= facility is now available to those using the PERSONA_MACRO build (required for detached scripting processes under VAX VMS versions earlier than 6.2). Script activation code has been revised to support command-line definition files (.CLD) to specifiy a script. The order in which an un-typed script is now searched for is .COM, .CLD, .EXE and then [DclScriptRunTime] specified. Scripting will now allow parameters to be added to the command-line activation on a per-path basis using the SET script=command= mapping rule. The HTTPD$MSG [Language] directive now allows a specified character set to be associated with that language's messages. Reverse proxy now supports the rewriting of a 302 "Location:.." response URL using the SET proxy=reverse=location= mapping rule. Reverse proxy also supports a specialized authorization and verification scheme known as proxy verify. For detailed information consult the description found in the [SRC.HTTPD]PROXYVERIFY.C module. Some control over the number of concurrent client requests in progress may be exercised using the client_current_gt: conditional to adjust mapping and subsequent processing. New SET mapping rules, cache=[no]cgi, cache=expires=, cache=[no]file, cache=guard=, cache=maxkbytes=, cache=[no]net, cache=[no]nph, cache=[no]query, cache=[no]ssi, map=root=, map=set=[no]ignore, map=set=[no]request, proxy=reverse=location=, proxy=reverse=verify, response=header=<[append|full|none]>, script=command=. There is a new command-line utility HTADMIN to assist with the maintenance of $HTA authorization databases. There have been some format refinements (or at least changes ;^) to some Server Admin report items. Version 8.3 (July 2003) WASD string matching (mapping rule, authorization rules, conditionals) now supports Posix EGREP style regular expressions. Must be enabled using the [RegEx] configuration directive and introduced using a leading "^" character. Wildcard string matching (the WASD traditional method) has had efficiency improvements implemented. "Specified" wildcard substitution allows mapping rules to omit some matched portions and change the order of substituted portions when processing result strings. A new Server Administration report menu item [Match]. This provides direct access to the server string matching routines and allows the site administrator to experiment with string matching and substitution. The file cache now allow the storage of permanent entries, as well as the traditional volatile ones. Permanent entries are intended for the most static but frequently accessed of all site files (e.g. site logos, graphics, home pages, etc.) and are not flushed or revalidated in the same way as static ones. The SET cache=perm mapping rule specifies the paths associated with these resources. Additional meta-config conditionals; notepad:, regex:, request:, restart:. Additional mapping SET rules; cache=[no]perm, cache=max=, notepad=[+]. Authorization break-in detection and evasion has been reworked so it behaves in the same way as VMS LGI_BRK_LIM, LGI_BRK_TMO and LGI_HID_TIM parameters. Two new parameters, [AuthFailurePeriod] and [AuthFailureTimeout], in addition to the existing [AuthFailureLimit] are used to implement this. If all or any are set to zero they assume the equivalent LGI_.. parameter value. A combination of VMS and rights ID authentication functionality previously not possible is now provided using /SYSUAF=(VMS,ID). The instance functionality introduced with 8.0 has finally demonstrated itself to the author's satisfaction. The test environment is a 4 CPU AlphaServer 4100 running OpenVMS 7.3-1 and Compaq TCP/IP Services 5.3-18. A bug that exhibited itself on multiple CPU systems finally has been identified and fixed. The common and combined log formats now include the HTTP protocol in the request URL. The user format directives now allow 'PR' to specify the same datum. The QDLOGSTATS utility now allows the use of Posix EGREP style regular expressions when matching the various components of the log file. The CGIUTL (v1.10.n) shipping with the 8.3 package has a change in behaviour for /MULTIPART /FIELD= multipart/form-data POST decoding. Previously the representative symbol names were WWW_FORM_name_MIME_data, now they are (the more consistent) CGIUTL_name_MIME_data. Allowing for this change may require modification to scripts that use this functionality. Version 8.2 (April 2003) New mapping rules, dir=style[=default|original|anchor|htdir], html=[bodytag|header|headertag|footer|footertag]=.., cgiplusin=[none|cr|lf|crlf|eof], proxy=[no]forwarded[=by|for|address], proxy=[no]xforwardedfor[=enabled|address|unknown], script=query=none, script=path=find, script=as=$?, [no]search=none. The plus variation on the exisiting script=params=+(name=value) concatenates to any previously set script parameters. The html= path SETings can be used to set body, header and footer tags and text for incorporation in directory listings, error reports and selected other facilities. These also are available to scripts via the HTML_name CGI variables. Use of SYSUAF authenticated security profile (/PROFILE) against a HTTPD$AUTH path can now be made to be applied via the authorization rule (rather than using the set [no]profile mapping rules). The startup keyword /PROFILE=BYRULE directs the server only to apply security profiles if the authorization rule has such a directive. CGI output processing has been relaxed to accept any CGI response header field in any order provided that one of Content-Type:, Location: or Status: occurs somewhere in the response (i.e. actually is CGI compliant). To allow RTEs to be built using certain processing environments (e.g. PostScript) the CGI engine now will build (no matter how inefficient) single byte records into composite new-line delimited "real" records before processing. Run-Time Environment (RTE) scripting attempts to reuse processes that were previously processing the same script and if possible path (to allow the RTE to cache these if desired). Not finding any available the Least Recently Used (LRU) RTE is then activated in an attempt to allow more recently/frequently ones to keep their cache. The HTML_name CGI variables are available to scripts and Server Side Includes (SSI) documents reflecting the content of any set html= rules, and the GATEWAY_EOF, _EOT and _ESC CGI variables provide the CGI processing sentinal strings to environments that cannot access the contents of the corresponding logical names. HTTPD$MSG message configuration files now allow multiple, comma-separated and wildcard [Language]s to be specified. Authentication agents can issue a "100 REASON any text" callout response to provide an explicit reason for authentication failure. Server processes created during startup under VMS 6.2 and later have a YYYYMMDDHHMMSS timestamp as part of the process (SYS$OUTPUT) log name. A change that occured in OpenSSL 0.9.7 certificate Distinguished Name (DN) record format from /email to /emailAddress is now allowed for. Courtesy of Dick Munroe (munroe@csworks.com); the CGIUTL utility has received some significant enhancements, convert-osu-to-wasd.pl and framework.pl conversion utilities (see [EXAMPLE]), and SERVER_NEUTRAL_CGI.COM CGI wrapper (see [SRC.OTHER]). There have been small refinements to the 8.1 environment installation, update and support utilities. The favicon.ico can be mapped into any relevant service using the HTTPD$MAP rule pass /favicon.ico /wasd_root/favicon.ico Document and script LINK/VLINK colours have been changed to a more muted blue (#0000ff to #0000cc). It was suggested, and I agree, that this is easier on the eye and generally works better. Version 8.1.1 (January 2003) A minor, couple of bugfixes and documentation release. I didn't what these nuisance-value issues complicating an already significant upgrade. The SECHAN utility during batch startup could prevent the server starting due to an illegal I/O request (enabling ctrl-T). Using the /DO= functionality could occasionally fail with a NOSYSLCK error and report 4294967295 servers notified (hmmm, that seems a magic number ;^) This was due to a race condition. The set script=query=relaxed mapping rule allows unbalanced name-value pairs in form-url-encoded query strings to be ignored by the server and passed on to the script for processing. The QDLOGSTATS utility has been enhanced. A new method of selectively updating a site's files using a full archive is available using the [INSTALL]SELECT.COM procedure. This will eliminate the need for package update kits to be supplied (saving me time) while still allowing only those files required to be updated to be restored. Version 8.1 (December 2002) Versions prior to 8.1 have been shown to have some security issues with directory tree structure and permissions, and a too-liberal default ([EXAMPLE]) configuration. Problematic server functionality has also been addressed. Whether updating or installing from scratch, please (re)read the [doc.misc]wasd_advisory_020925.txt and the revised Technical Overview section 7 - Securing The Site. Be prepared for some minor issues related to changes in package security profile. You must use the full environment of 8.1, including the new startup procedures, otherwise package behaviour is indeterminate. Ensure that HTTPD$CONFIG directive [DclDetachProcess] is set to enable to allow the server to use the scripting account (HTTP$NOBODY). A number of problems present in the v8.0 release have been resolved. This includes some bugs but also functionality issues. WASD SSL (Secure Socket Layer) functionality can now be provided through the Compaq SSL for OpenVMS Alpha product on VMS versions 7.2-2 and later. The WASD HTTPd can be compiled against this toolkit, and/or linked against it's sharable libraries. This provides a considerable saving in executable size and memory consumption when multiple SSL application are in use against this product. It also aligns WASD with the emerging Open Source Security architecture for OpenVMS. The WASD OpenSSL kits will continue to be released to support platforms that cannot use the Compaq SSL product. INSTALL and UPDATE procedures now detect SSL toolkits available to WASD and request whether an SSL enabled version of the server should be built. This eliminates the second step of @UPDATE SSL previously required. "Skeleton-Key" authentication has been provided to allow non-configured access to the Server Administration facility for novice administrators on newly installed sites (amongst other uses). ODS-5 (Extended File System) volumes and naming conventions have been supported since their release. Now SRI file name encodings (Process Software MultiNet and TCPware NFS and other utilities), PATHWORKS (4/5) and Advanced Server file name encodings (PATHWORKS 6, also used by Samba on ODS-2) can be converted for direct use and display by the HTTPd. The path settings ODS=2, ODS=5, ODS=ADS (syn. ODS=SMB), ODS=PWK and ODS=SRI control these mappings. DECnet scripting rules can now specify that the script be executed under the account of an authenticated username (e.g. '/NODE"$"::/cgi-bin/'). The set script=as= mapping rule can also now be used with DECnet scripts. The ALERT path setting can now optionally specify when to provide the alert; ALERT=MAP (immediately after mapping), ALERT=AUTH (after any authorization) and ALERT=END (default, at end of request processing). Other new mapping rules, set auth=all, set alert=keyword, set map=ellipsis, set query-string=, set report=4nn=nnn. Additional meta-config conditionals, mapped-path:, path-translated:, script-name:, redirected:, pass:, and additional keywords to ods:. Additional mapping conditionals, [MP], [PA], [PI], [RC], [RU], [ST] that parallel the meta-config conditionals above (yes, I know these are described as obsolete ;^). Scripts may now request the server to generate an error message on it's behalf using extensions to the CGI/1.2 "Script-Control:" response fields. This can give a very consistent look and feel to these responses. New utility SECHAN. This provides a collection of functionalities used to maintain package security and access to various directories and files for server and scripting accounts. Remember that when installing or modifying scripts they need to be copied into [CGI-BIN] and [AXP-BIN or [VAX-BIN] (convenience logical CGI_EXE:) to make them accessable to the server. The Compaq TCP/IP Services ECO that will allow instances to be used in production has not yet been released (see immediately below). Version 8.0 (July 2002) Instance support, where multiple server processes on a single node participate in an integrated environment (not unlike clustering itself) to share request load, provide rolling restart and a "fail-through" capability. Load sharing allows multi-CPU systems to significantly improve throughput. This instance implementation also provides an enhanced level of cluster-wide serving awareness. WARNING Compaq TCP/IP Services v5.n (at least) has a problem with socket listen queuing that can cause services to "hang" (should this happen just restart the server). Ensure you have the requisite ECO installed before activating multiple instances on production systems! Mapping and authorization now share a consistent set of conditional rules (similar in intent but different in implementation to the previous mapping-only conditionals) that allows individual or blocks of rules to be conditionally applied depending on request, system, environment and other characteristics. Language-variant documents can be configured and selected by the server depending on client browser language preference settings. For instance, a directory may contain generic (EXAMPLE.HTML), French (EXAMPLE_FR.HTML), English (EXAMPLE_EN.HTML) and German versions (EXAMPLE_DE.HTML) of the same document. As indicated by preferences expressed in the "Accept-Language:" request header field a German client will receive the Deutsch version (EXAMPLE_DE.HTML), French the Française version (EXAMPLE_FR.HTML), etc., with a fallback to the generic if no appropriate document is available or the client has not specified a preference. Can be applied to non-text files. Language character set conversion. Using the VMS standard National Character Set (NCS) conversion library a document's character set may be converted dynamically (and efficiently) from one to another as indicated by preferences in the request "Accept-Charset:" header field. This has particular application for non-Latin-1 sets such as the Cyrillics used by some East European languages. Script response header processing (CGI and NPH detection) has been refined to better handle non-record-oriented responses. This improves behaviour when scripts use the likes of fwrite() under the current DECC-RTL to provide portions of response header fields. It is not a total solution however, with some concessions still required for record-oriented output without explicit carriage-control. Proxy serving now supports FTP. Proxy can also now perform HTTP-to-SSL (Secure Sockets Layer) gatewaying, allowing non-SSL-aware agents access to SSL services, as well as HTTP-to-FTP, SSL-to-HTTP, and other combinations of protocol conversion. Additional configuration directives; [AuthCacheEntriesMax], [AuthCacheEntrySize], [AuthSysUafPwdExpURL], [AuthSysUafAcceptExpPwd], [CharsetConvert], [InstanceMax], [LogPerInstance], [ProxyCacheNoReloadSeconds], [ServiceProxyHttpSsl..], [SsiSizeMax] Additional mapping SET rules; alert, accept=lang, auth=revalidate=hh:mm:ss, auth=sysuaf=pwdexpurl=, dir=access=, http=accept-charset=, http=accept-language=, proxy=bind=IP-address, proxy=chain=host:port, script=params=(name=value[,name="quoted value"]). The charset= rule also has an additional behaviour. Mapping SET rules may now be appended to any rule that contains both a template and result. Hence a final match can also be used to set path characteristics as in pass /documents/* /ods5_device/docs/* ods=5 Additional /DO=INSTANCE=integer and /DO=PROXY=STOP=SCAN command-line directives. The retirement of the WWWRKOUT utility. The addition of two other utilities; WB (WASD Bench, a $QIO-driven analogue to Apache Bench :^) and CALOGS (Consolidate Access LOGS). Request body handling (POST and PUT) has been revised to process the body in discrete chunks eliminating the requirement for the server to buffer the entire content in virtual memory. This effectively removes any processing limitation on request body size. Ever found it annoying not being able to easily read a file you know contains text but they file type is not configured or is configured for something else? Well, from a directory listing just click on the icon. For non-textual file types the icon is now an anchor returning the file as a plain-text document (regardless of it's real content)! Activity statistics are now stored in a permanent global section allowing activity graphs to span startups to a maximum of 28 days activity. Peak load is displayed on the request histogram, and server exit and startup events are indicated using vertical lines of different colours. Plenty of "under-the-hood" changes supporting the new instance functionality and the greater cluster awareness (in preparation for cluster-wide (perhaps even galaxy-wide :^) scripting and other sharing in forthcoming versions). Version 7.2.1 (November 2001) A minor, basically bugfix release. One notable functionality item, persona scripting support (non-server account) for VAX VMS versions that do not support the $PERSONA services (i.e. 6.0 and 6.1). The PERSONA.MAR module performs a similar function by explicitly manipulating the process structures in kernel mode, operating in a well accepted but basically unsupported fashion! Check the build and scripting documentation for further details. Version 7.2 (July 2001) X.509 certificate authorization for SSL transactions. This allows authorization credentials to be established via client certificate without the use of username/password dialogs. For SSL servers it is now possible to use private keys without embedded passwords. As the SSL service is started the server prompts via HTTPDMON and OPCOM (if enabled) for the private key password. It can be supplied using a /DO=SSL=KEY=PASSWORD directive. Authorization via the RFC1413 "identification protocol". Remote user to local SYSUAF user "proxy" access. Control of request processing, known as "throttling", sets limits on the number of concurrent requests being processed before new requests are queued. Can be used to limit instances of resource intensive processing as in the case of some scripts, etc. CGIplus/RTE has a lower overhead, higher efficiency and throughput (50% to 100% increase) CGI variable transfer mode. Historically CGI variables have been transfered one per record, now termed "record" mode. It is also possible to transfer variables as a single I/O, or in "struct" mode. CGILIB now enables this by default. Just relink as necessary. Scripts are no longer automatically run-down if a client disconnects while processing. The [DclBitBucketTimeout] period must expire first. This results in most scripts and/or the associated process continuing to be available for use with another request, a significant efficiency improvement. Improved script run-down handling. Scripts executing images are $FORCEXed before processes are deleted, allowing exit handlers to gain control for more elegant releasing of resources, etc. It is now possible to specify a maximum CPU time limit on a per-script basis using the SET SCRIPT=CPU=hh:mm:ss mapping rule. This may be particularly useful in allowing for run-away user scripts. Only selected HTTP status code reports need to be customized using the [ErrorReportPath] directive, those remaining still being handled internally. The EXEC rule now allows not only directories to be specified as script repositories but also file types. This allows files with a particular extension to be designated as executable scripts no matter where that occur in the specified path (and can be used to map ex-Purveyor scripts for example). "Monitor" data and "control" directives (/DO=) now communicate via shared memory in a global section. This is significantly more efficient and versatile. (Note that images must be installed with PRMGBL, SHMEM (VAX only) and SHRGBL). Version 7.1.1 (January 2001) A minor release corresponding to the closing of OpenVMS Freeware CD V5 submissions. The usual bugfixes :^) CGILIB has been updated for the new CGI interface requirements of Compaq Secure Web Server (CSWS) V1.0-1 (based on Apache 1.3.12). A "standard" area for script scratch space ... with the server cleaning up behind those that fail to. See the Scripting Environment, Introduction. QDLOGSTATS can now be used as a script and will provide an HTML form-based interface page. Version 7.1 (November 2000) Scripting process creation has been moved from LIB$SPAWN() to SYS$CREPRC(). This allows some interesting new features including detached processes and scripts executing under non-server accounts (on VMS versions 6.2 and later), including user accounts. Subprocess scripting is still the default (i.e. it is backward compatible). Check the "Scripting Overview, Introduction" for the details. Selected server administration menu and command-line /DO= directives can now be simultaneously applied to all servers on a node or across a cluster. To see this in action, even with only one existing server on a single node, do a $ @HT_ROOT:[000000]FREEWARE_DEMO and then access the system's server Administration Menu. The server administration menu now provides specific functionality for maintaining service and message configuration. Proxy cache maintenance scans are now cluster-aware. A server undertaking a scan locks the cache, preventing other servers from simultaneously attempting to perform maintenance activities on the cache. Run-Time Environments are a persistant scripting mechanism designed to support interpreters like Perl and Java, with the objective of reducing response latency, increasing throughput and reducing system impact. This version includes an example Perl RTE, which can give a performance improvement of some twenty-five times on standard CGI Perl scripts! For Perl distribution considerations this Perl RTE must be fully compiled and linked locally. A new configuration directive [CgiStrictOutput] introduced in WASD 7.0 directs the server to report script responses that are neither CGI or NPH (i.e. have none or a faulty response header). This is enabled in the 7.n example configuration files. Site administrators that do completely new installations may find their old scripts are now being reported as "ERROR 502 - External agent did not respond (or not acceptably)." Either modify the script to supply an appropriate header (preferable) or disable the configuration directive. There have been some other refinements to the scripting environment and more detailed information provided in the Scripting Overview. It is recommended site administrators and script authors review this. CGILIB has been modified to become an object module/library. Compared to the code #include this is a more elegant method for delivering it's functionality. More significant WASD scripts have been modified to support this version (e.g. Conan, HyperShelf/Reader, WASDquery and others). The #includable functionality is still available. Changes in VMS Apache BETA behaviour between 1.3.9 (T1.3-9AG) and 1.3.12 (1.3-12) make some WASD Server and CGILIB code ineffective. As far as the author can tell there is no way to send a binary stream from a script via T1.3-12. Whether or not future changes to VMS Apache restores this functionality cannot be determined at the current time. The CGIUTL scripting utility has been enhanced so that POSTed request fields containing multiple lines (e.g.