| ↩︎ | ↖︎ | ↑︎ | ↘︎ | ↪︎ |
By default, the logical name WASD_CONFIG_MAP locates a common mapping rule file. Simple editing of the mapping file and reloading into the running server changes the processing rules. The [IncludeFile] is a directive common to all WASD configuration, allowing a separate file to be included as a part of the current configuration (2.1 Include File Directive).
Mapping rules are used for a number of different request processing purposes.
Mapping is basically for server-internal purposes only. The only time the path information of the request itself is modified is when a script component is removed. At all other times the path information remains unchanged. Path authorization is always applied to the path supplied with the request.
Rules are given a basic consistency check when loaded (i.e. server startup, map reload, etc.) If there is an obvious problem (unknown rule, missing component, etc., path not absolute) a warning message is generated and the rule is not loaded into the database. This will not cause the server startup to fail. These warning messages may be found in the server process log.
Changes to the mapping configuration file can be validated at the command-line before reload or restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the intent of the rules.
A server's currently loaded mapping rules may also be interrogated from the Server Administration menu (see Server Administration of WASD Features and Facilities).
The rules are scanned from first towards last, until a matching final rule is encountered (PASS, EXEC, SCRIPT, FAIL, REDIRECT, UXEC and USER) when the mapping pass concludes. Non-final rules (MAP and SET) perform the appropriate action and continue to the next rule. One, two or more passes through the rules may occur due to implicit processing (if the path contains a script component) or by explicit restart (SET map=restart).
The basis of path mapping is string pattern matching, comparing the request specified path, and optionally other components of the request when using configuration conditionals (5. Conditional Configuration), to a series of patterns, usually until one of the patterns matches, at which stage some processing is performed. Both wildcard and regular expression based pattern matching is available. All rules have a template (string pattern to match against the path). Some rules have a result (how to restructure the components matching from the template).
As described in 2.4 Virtual Services virtual service syntax may be used with mapping rules to selectively apply rules to one specific service. If virtual services are configured rule interpretation sees only rules common to all services and those specific to its own service (host address and port). In all other aspects rule interpretation applies as described above.
Naturally, each rule that needs to be processed adds a little to consumed CPU, introduces some latency, and ultimately reduces throughput. The test-bench has shown this to be acceptably small compared to the overall costs of responding to a request. Using the ApacheBench tool on a COMPAQ Professional Workstation XP1000 with 2048MB, VMS V8.3, TCP/IP Service 5.7 and WASD v10.1, with a simple access to /wasd_root/exercise/0k.txt showed approximately 744 requests/second throughput using the following mapping file.
After adding various quantities of the same intervening rule
| Rule Count | Requests/S | Throughput |
|---|---|---|
| 0 | 744 | baseline |
| 100 | 701 | -5.8% |
| 200 | 665 | -10.6% |
| 500 | 571 | -23.3% |
| 1000 | 461 | -38.4% |
Although this is a fairly contrived set-up and actual real-world rule-sets are more complex than this, even one hundred rules is a very large set, and it does indicate that for all intents and purposes mapping rules may be used to achieve desired objectives without undue concern about impact on server throughput.
The VMS file system in mapping rules is always assumed to begin with a device or concealed device logical. Specifying a Master File Directory (MFD) component, the [000000] is completely optional, although always implied. The mapping functions will always insert one if required for correct file system syntax. That is, if the VMS file system mapping of a path results in a file in a top-level directory an MFD is inserted if not explicitly present in the mapping. For example, both of the following paths
Concealed device logicals are created using the following syntax:
The logical name may be multi-valued and provided the DIRECTORY command can be used successfully with them (as described above) should be amenable to WASD directory listing producing equivalent results.
For ODS-2 volumes, when during rule mapping of a path to a VMS file specification an RMS-invalid character (e.g. "+") or syntax (e.g. multiple periods) is encountered a dollar symbol is substituted in an attempt to make it acceptable. This functionality is often useful for document collections imported to the local web originating from, for instance, a Unix site that utilizes non-VMS file system syntax. The default substitution character may be changed on a per-path basis using the SET rule (10.5.5 SET Rule).
OpenVMS Alpha V7.2 introduced a new on-disk file system structure, ODS-5. This brings to VMS in general, and WASD and other Web servers in particular, a number of issues regarding the handling of characters previously not encountered during (ODS-2) file system activities. ODS-2 and ODS-5 volumes should be automatically distinguished by the server however it is possible to force interpretation using a path mapping rule (10.5.5 SET Rule).
There is a standard for characters used in HTTP requests paths and query strings (URLs). This includes conventions for the handling of reserved characters, for example "?", "+", "&", "=" that have specific meanings in a request, characters that are completely forbidden, for example white-space, control characters (0x00 to 0x1f), and others that have usages by convention, for example the "~", commonly used to indicate a username mapping. The request can otherwise contain these characters provided they are URL-encoded (i.e. a percentage symbol followed by two hexadecimal digits representing the hexadecimal-encoded character value).
There is also an RMS standard for handling characters in extended file specifications, some of which are forbidden in the ODS-2 file naming conventions, and others which have a reserved meaning to either the command-line interpreter (e.g. the space) or the file system structure (e.g. the ":", "[", "]" and "."). Generally the allowed but reserved characters can be used in ODS-5 file names if escaped using the "^" character. For example, the ODS-2 file name "THIS_AND_THAT.TXT" could be named "This^_^&^_That.txt" on an ODS-5 volume. More complex rules control the use of character combinations with significance to RMS, for instance multiple periods. The following file name is allowed on an ODS-5 volume, "A-GNU-zipped-TAR-archive^.tar.gz", where the non-significant period has been escaped making it acceptable to RMS.
Of course characters absolutely forbidden in request paths must still be URL-encoded, the most obvious example is the space. RMS will accept the file name "This^ and^ that.txt" (i.e. containing escaped spaces) but the request path would need to be specified as "This%20and%20that.txt".
Unlike for ODS-2 volumes, ODS-5 volumes do not have "invalid" characters, so no processing is performed to ensure RMS compliance.
ODS-5 allows for some file name ambiguity in web-space.
For example the file name
In addition, the two files
To avoid this situation a potentially ambiguous file name containing an escaped period and no type (extension) is ignored by directory listings and WebDAV property lists. When an ambiguous file name is detected it is reported in WATCH reports.
While these sorts of situations are corner-cases it is best to try and avoid interesting file names that can challenge the rather convoluted VMS file-system environment.
When the server generates a path to be returned to the browser, either in a viewable page such as a directory listing or error message, or as a part of the HTTP transaction such as a redirection, the path will contain the URL-encoded equivalent of the canonical form of an extended file specification escaped character. For example, the file name "This^_and^_that.txt" will be represented by "This%20and%20that.txt".
When presenting a file name in a viewable page the general rule is to also provide this URL-equivalent of the unescaped file name, with a small number of exceptions. The first is a directory listing where VMS format has been requested by including a version component in the request file specification. The second is in similar fashion, but with the tree facility, displaying a directory tree. The third is in the navigation page of the UPDate menu. In all of the instances the canonical form of the extended file specification is presented (although any actual reference to the file is URL-encoded as described above).
These are the categories of mapping rules.
If the URL path matches the template, substitute the result string for the path and use that for further rule processing. Both template and result paths must be absolute (i.e. begin with "/").
If the URL path matches the template, substitute the result if present (if not just use the original URL path), processing no further rules.
The result should be a either a physical VMS file system specification in URL format or an HTTP status-code message (see below). If there is a direct correspondance between the template and result the result may be omitted.
An HTTP status-code message can be provided as a result. The server then generates a response corresponding to that status code containing the supplied message. Status-code results should be enclosed in one of single or double quotes, or curly braces. See examples. A 3nn status results in a redirection response with the message text comprising the location. Codes 4nn and 5nn result in an error message. Other code ranges (e.g. 0, 1nn, 2nn, etc.) simply cause the connection to be immediately dropped, and can be used for that purpose (i.e. no indication of why!)
200 — with following $ will cause the DCL script processor to execute the command. The output will be returned to the client.
418 — will immediately drop the connection. Also see 2.14 Connection Accept and Reject.
If the URL path matches the template, prohibit access, processing no further rules. The template path must be absolute (i.e. begin with "/").
If the URL path matches the template, substitute the result string for the path. Process no further rules. Redirection rules can provide result URLs in one of a number of formats, each with a slightly different behaviour.
See 10.7 Mapping Examples for examples of each of these.
The USER rule maps a VMS user account default device and directory (i.e. home directory) into a request path. That is, the base location for the request is obtained from the VMS systems SYSUAF file. This is usually invoked by a request path in the form "/~username/", see ‘Mapping User Directories’ in 10.9 Conditional Mapping for more detailed information.
If the path matches the template then the result is substituted, with the following conditions. At least one wildcard must be present. The first wildcard in the result substitutes the username's home directory into the path (in place of the "~username"). Any subsequent wildcard(s) substitute corresponding part(s) of the original path.
If the user DANIEL's default device and directory were
Also see WASD Scripting Environment for further information.
The EXEC/UXEC and SCRIPT directives have the variants EXEC+/UXEC+ and SCRIPT+. These behave in exactly the same fashion and simply mark the rule as representing a CGIplus script environment.
The EXEC/UXEC rules maps script directories.
The SCRIPT rules maps script file names. It behaves a little differently to the EXEC rule, essentially supplying in a single rule the effect of a MAP then an EXEC rule.
Both rules must have a template and result, and both must end in a wildcard asterisk. The placement of the wildcards and the subsequent functionality is slightly different however. Both template and result paths must be absolute (i.e. begin with "/").
The EXEC rule requires the template's asterisk to immediately follow the slash terminating the directory specification containing the scripts. The script name follows immediately as part of the wildcard-matched string. For example:
If the URL path matches the template, the result, including the first slash-terminated part of the wildcard-matched section, becomes the URL format physical VMS file specification the script to be executed. What remains of the original URL path is used to create the path information. Process no further rules.
Hence, the EXEC rule will match multiple script specifications without further rules, the script name being supplied with the URL path. Hence any script (i.e. procedure, executable) in the specified directory is accessible, a possible security concern if script management is distributed.
A variation on the "exec" rules allows a Run-Time Environment (RTE) to be mapped. An RTE is a persistant scripting environment not unlike CGIplus. The essential difference is an RTE provides an environment in which a variety of scripts can be run. It is often an interpreter, such as Perl, where the advantages of persistance (reduced response latency and system impact) are available. For more information on RTEs and how they operate see the WASD Scripting Environment document.
The RTE executable is specified in parentheses prefixed to the mapping result, as show in this example:
The SCRIPT rule requires the template's asterisk to immediately follow the unique string identifying the script in the URL path. The wildcard-matched string is the following path, and supplied to the script. For example:
If the URL path matches the template, the result becomes the URL format physical VMS file specification for the DCL procedure of the script to be executed (the default file extension of ".COM" is not required). What remains of the original URL path is used to create the path information. Process no further rules.
Hence, the SCRIPT rule will match only the script specified in the result, making for finely-granular scripting at the expense of a rule for each script thus specified. It also implies that only the script name need precede any other path information.
It may be thought of as a more efficient implementation of the equivalent functionlity using two CERN rules, as illustrated in the following example:
The UXEC rule is an analog to the EXEC rule, except it is used to map user scripts. It requires two mapping asterisks, the first for the username, the second for the script name. It must be used in conjunction with a SET script=as=~ rule. For example:
For further information see ‘User Account Scripting’ in 10.10.1 Using The SYSUAF and the Introduction of WASD Scripting Environment.
It is conventional to locate script images in WASD_ROOT:[AXP-BIN] or WASD_ROOT:[X86_64-BIN] (depending on the platform), and procedures, etc. in WASD_ROOT:[CGI-BIN]. These multiple directories are accessible via the single search list logical CGI-BIN.
Script files can be located in area completely outside of the WASD_ROOT tree. Two approaches are available.
Generally directories are specified as locations for script files. This is the more common application, with the EXEC rules used as in this example
Mapping a file type into an EXEC behaviour is also supported. This allows all files within the specified path and with the matching file suffix (extension) to be activated as scripts. Of course a script runtime must be available for the server to be able activate it. The following example demonstrates mapping all files ending in .CGI in the /web/ tree as executable scripts.
The SET rule does not change the mapping of a path, it just sets one or more characteristics against that path that affect the subsequent processing in some way. It is a general purpose rule that conveniently allows the administrator to tell the server to process requests with particular paths in some ad hoc and generally useful fashion. Most SET parameters are single keywords that act as boolean switches on the request, some require parameter strings. Multiple space-separated parameters may be set against against the one path in a single SET statement.
| Rule | Description |
|---|---|
| ACCEPT=LANG= DEFAULT=<language> | sets the default language |
| ACCEPT=LANG= CHAR=<character> | sets the delimiting character |
| ACCEPT=LANG= VARIANT=<name>|<type> | allows the alternate file-type variant to be specified |
| ACCEPT=LANG= (DEFAULT=<language>, CHAR=<character>) | sets both (etc.) |
| NOACCEPT=LANG | disables language variant processing (on a subtree for example) |
For detailed configuration information see 2.9 Language Variants.
| Rule | Description |
|---|---|
| ALERT=MAP | generates this alert immediately after path mapping (i.e. before the request actually begins being processed) |
| ALERT=AUTH | after authorization (i.e. when any remote username has been resolved) |
| ALERT=<integer> | if the response HTTP status matches the specific integer |
| ALERT=END | at the conclusion of process (the default) |
| NOALERT | cancels alerts on this path (perhaps subpath) |
| Rule | Description |
|---|---|
| [NO]AUTH=ALL | All requests matching this path must have been subject to authorization or fail with a forbidden status. This is a per-path requivalent of implementing the per-server /AUTHORIZE=ALL policy, and is a little "belt and braces" in a certain sense, but does permit a site to further avoid unintended information leakage (in this case through the failure ensure a given path has authorization). |
| [NO]AUTH=ONCE | If a request path contains both a script component and a resource component by default the WASD server makes sure both parts are authorized before allowing access. This can be disabled using this path setting. When this is done only the original request path undergoes authorization. |
| AUTH=REVALIDATE=<hh:mm:ss> | Authorization is cancelled and the client requested to reenter the username and password if this period expires between authorized requests. Overrides configuration directive [AuthRevalidateUserMinutes]. |
| AUTH=SYSUAF= PWDEXPURL=<string> | Parallels the [AuthSysUafPwdExpURL] configuration directive, allowing it to be set on a per-path or virtual service basis. |
| Rule | Description |
|---|---|
| CACHE=NONE | disables caching of files matching this rule |
| CACHE=EXPIRES=0 | cancels previous mapped expiry |
| CACHE=EXPIRES=DAY | expires on change of day |
| CACHE=EXPIRES=HOUR | expires on change of hour |
| CACHE=EXPIRES=MINUTE | expires on change of minute |
| CACHE=EXPIRES=<period> | sets the expiry period for the entry |
| CACHE=GUARD=<period> | sets the guard period (no reload) for the cache entry |
| CACHE=MAX=<integer> | cache files up to this many kilobytes (overrides [CacheFileKBytesMax]) |
| CACHE=[NO]CGI | cache CGI-compliant (script) responses |
| CACHE=[NO]FILE | cache files matching this rule (the default) |
| CACHE=[NO]NET | cache any network output |
| CACHE=[NO]NPH | cache NPH (non-parse-header script) responses |
| CACHE=[NO]SCRIPT | cache both CGI and NPH responses |
| CACHE=[NO]SSI | cache SSI document responses |
| CACHE=[NO]QUERY | cache (script) regardless of containing a query string |
| CACHE=[NO]PERM | permanently cache these files |
| Rule | Description |
|---|---|
| CGIPLUSIN=CC=NONE | no carriage control |
| CGIPLUSIN=CC=LF | each record has a trailing line feed (0x0a) |
| CGIPLUSIN=CC=CR | a trailing carriage return (0x0d) |
| CGIPLUSIN=CC=CRLF | a trailing line feed then carriage return (0x0d0a) |
| CGIPLUSIN=[NO]EOF | the end of the record stream is indicated using an end-of-file |
| Rule | Description |
|---|---|
| CLIENT=FORWARDED | Substitute the (first) address from the "Forwarded": request header. Return a 403 status if no "Forwarded:" header present. |
| CLIENT=IF=FORWARDED | As above but the absence of a "Forwarded:" request header is not fatal. |
| CLIENT=LITERAL=<string> | Substitue the following string. Intended for testing purposes. |
| CLIENT=RESET | Reset the substituted client data to the original (up-stream proxy). |
| CLIENT=XFORWARDEDFOR | Substitute the (first) address from the "X-Forwarded-For": request header. Return a 403 status if no "X-Forwarded-For:" header present. |
| CLIENT=IF=XFORWARDEDFOR | As above but the absence of a "X-Forwarded-For:" request header is not fatal. |
| Rule | Description |
|---|---|
| DIR=[NO]ACCESS | allows directory listing |
| DIR=ACCESS=SELECTIVE | allows directory listing if the directory contain the file .WWW_BROWSABLE |
| DIR=DELIMIT=<keyword> | header, footer, both, none |
| DIR=[NO]ILINK | icon plain-text link can be disabled |
| DIR=[NO]IMPLIEDWILDCARD | add wildcards if not in path |
| DIR=SORT=<column> | pre-sort a listing |
| DIR=STYLE=<keyword> | set the style of a directory listing
|
| DIR=TARGET=<string> | open the file in another window
|
| DIR=THESE=<filespec> | restrict listing to specified filename(s) |
| DIR=TITLE=<keyword> | format the title
of the window (tab)
|
| DIR=VERSIONS=<integer> | list the specified maximum number of file versions, or if an asterisk all versions |
| DIR=[NO]WILDCARD | allow a directory listing to be "forced" by including wildcards in the path |
| Rule | Description |
|---|---|
| HTML=BODYTAG= | specifies the page <BODY> tag characteristics (e.g. html=bodytag="BGCOLOR=#ffffff") |
| HTML=HEADER= | the page header text |
| HTML=HEADERTAG= | the <TD> tag characteristics of the header table (e.g. html=headertag="BGCOLOR=#cccccc") |
| HTML=FOOTER= | the page footer text |
| HTML=FOOTERTAG= | the <TD> tag characteristics of the footer table |
The headertag and footertag directives also allow the full table tag to be specified, allowing greater flexibility with these parts of the page (e.g. html=footertag="<TABLE BORDER=1 CELLPADDING=10 CELLSPACING=0><TR><TD BGCOLOR=#cccccc>".
| Rule | Description |
|---|---|
| HTTP=ACCEPT-CHARSET=<string> | the "Accept-Charset:" field |
| HTTP=ACCEPT-LANGUAGE=<string> | the "Accept-Language:" field |
| Rule | Description |
|---|---|
| HTTP2=PROTOCOL=1.1 | send the client an HTTP_1_1_REQUIRED error whcich should cause it to re-request as HTTP/1.1 |
| HTTP2=SEND=GOAWAY[=<integer>] | send the client a connection GOAWAY frame with optional error number |
| HTTP2=SEND=PING | send the client an HTTP/2 ping |
| HTTP2=SEND=RESET[=<integer>] | send the client a stream (request) reset (close) with optional error number |
| HTTP2=WRITE=LOW|NORMAL|HIGH | this stream (request) will write to the network at the specified priority relative to other data on the connection |
| Rule | Description |
|---|---|
| [NO]MAP=ELLIPSIS | By default the use of the VMS file specification ellipsis wilcard ("...") is not allowed. This enables this for the path specified. Use with caution. |
| [NO]MAP=ONCE | Normally, when a script has been identified during mapping, the resultant path information is also mapped in a second pass. This can be suppressed by SETing the path as MAP=ONCE. The resultant path is then given to the script without further processing. |
| MAP=RESTART | Causes an immediate change to the order of rule processing. Instead of the next rule, the first rule in the configuration is processed. This is intended to remove the need for copious repetition in the rule set. A common or set of common processing blocks can be established near the start of the rule set and be given requests from processing points further down in the rules. It is intended to be used only once or perhaps twice and will abort the request if it occurs too often. Can be detected using the restart: conditional (5.3 Conditional Keywords). Use with caution! Injudicious use would make unexpected mappings expected! |
| [NO]MAP=ROOT=<string> | Prefixes the results of following rules with the specified path so that they are all subordinate to it. This also populates the DOCUMENT_ROOT CGI variable. See ‘Document Root’ in 2.3 Site Organisation. |
| [NO]MAP=SET=IGNORE | All path SETings following an IGNORE are completely ignored (not applied to the mapping or request characteristics) until a subsequent NOINGORE is encountered. |
| [NO]MAP=SET=REQUEST | All path SETings following a NOMAP=SET=REQUEST are only applied to the mapping and not to the request's characteristics until a subsequent MAP=SET=REQUEST is encountered. Intended for use during callouts. These can be detected using the callout: conditional (5.3 Conditional Keywords). |
| [NO]MAP=URI | Normally mapping is performed on the request path. This SETing replaces the path with the full, raw, request URI (undecoded path plus any query string). This allows subsequent mapping rules to be applied to the full URI and therefore path components to be remapped into query components, and query components into path components (using specified substitution, see 4.4 Expression Substitution). |
| Rule | Description |
|---|---|
| ODS=2 | is basically redundant, because if a path is not indicated as anything else it is assumed to be ODS-2. This can be used for clarity in the mapping rules if required. |
| ODS=5 | is used to indicate that a particular path maps to files on an ODS-5 (EFS) volume and so the names may comply to extended specifications. This changes the way file names are processed, including for example the replacement of invalid RMS characters (see below). |
| ODS=ADS | is used to process file names that are encoded using the Advanced Server (PATHWORKS 6) schema. |
| ODS=NAME=8BIT|UTF8|DEFAULT | When a file is PUT (created) using WebDAV or upload, for non-7bit ASCII file names use native ODS-5 8bit syntax (default) or UTF-8 encoded character sequences. |
| ODS=PWK | is used for processing file names encoded using the PATHWORKS 4/5 schema. |
| ODS=SMB | is a synonym for ODS=ADS and makes clear the path is also being served by Samba. |
| ODS=SRI | for file names encoded using the SRI schema (used by MultiNet and TCPware NFS, FTP and other utilities). |
| Rule | Description |
|---|---|
| PROXY=[NO]AFFINITY | sets client to origin server affinity. |
| PROXY=BIND=<ip-address> | makes outgoing proxy requests appear to originate from this IP address. Must be an address that the media can be bound to. |
| PROXY=CHAIN=<host:port> | makes outgoing proxy requests chain to this up-stream proxy server. |
| PROXY=CHAIN=CRED=<username:password> | provides proxy authentication credentials to an up-stream proxy server. |
| PROXY=FORWARDED | controls generatation a proxy "Forwarded:" request
field. This optional field contains information on the proxy server and as a
further option the client name or IP address.
|
| PROXY=HEADER=<name>[=<string>] | removes or sets the value of the specified proxied request header. Examples:
|
| PROXY=REVERSE=[NO]AUTH | suppresses propogation of any "Authorize" header. |
| PROXY=REVERSE=LOCATION=<string> | rewrites the matching "Location:" header field URL of a 302 response from an internal, reverse-proxied server. |
| PROXY=REVERSE=[NO]VERIFY | sets a specialized authorization capability. See WASD_ROOT:[SRC.HTTPD]PROXYVERIFY.C for further information. |
| PROXY=REWORK=<string> | rework the response (see Rework Proxy Response of WASD Features and Facilities). |
| PROXY=TUNNEL=REQUEST=<string> | allows the originating end of a WASD tunnel to specify an HTTP request line or even request header to be provided to the tunnel target end when the connection is established. |
| PROXY=UNKNOWN | causes the server to propagate all request field provided by the client to the proxied server (by default WASD only propagates those it recognises). |
| PROXY=XFORWARDEDFOR=<keyword> | controls generation of a proxy "X-Forwarded-For:" request field. This optional
field (a defacto standard originally from the Squid caching package)
contains the name or IP address of the proxied client.
|
| Rule | Description |
|---|---|
| PUT=MAX=<integer> | * | Maximum number of kilobytes allowed for a request body, if "*" then effectively unlimited (per-path equivalent of the global directive [PutMaxKbytes]). |
| PUT=RFM=FIX512|STM|STMCR|STMLF|UDF | When a request body is uploaded into the file-system and the content-type is not text this determines the file record format. The precedence for determining the created file record format is [AddType] RFM:, then any per-path PUT=RFM= mapping rule, then [PutBinaryRFM], then the default of UDF. |
| Rule | Description |
|---|---|
| REPORT=BASIC | include less detail in error message |
| REPORT=DETAILED | includes more detail |
| REPORT=TUNNEL | brief, non-HTML error messages suitable for proxy tunnel |
| REPORT=4<nn>=<nnn> | maps one 400 class HTTP status to another (to conceal the true origins of some error messages) |
| Rule | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| RESPONSE=CSP=<parameter> RESPONSE=CSPRO=<parameter> | see 3.10 Content Security Policy (CSP) | ||||||||||||
| RESPONSE=GZIP=<keyword> | controls generation of GZIPed response bodies (2.5 GZIP Encoding)
| ||||||||||||
| RESPONSE=HEADER=<parameter> | changes the way in which a response header is generated by the server.
| ||||||||||||
| RESPONSE=VAR=<parameter> | where a response is being provided from a variable-length record file each
record should be terminated as follows.
|
For scripting detail see the WASD Scripting Environment document.
| Rule | Description |
|---|---|
| SCRIPT=AS=<parameter> | for non-server account scripting this rule allows the user account to be either explicitly specified or substituted through the use of the tilde character "~" or the dollar "$". |
| SCRIPT=BIT-BUCKET=<hh:mm:ss> | specifies the period for which a script continues to execute if the client disconnects. Overrides the WASD_CONFIG_GLOBAL [DclBitBucketTimeout] configuration directive. |
| [NO]SCRIPT=BODY=DECODE | instructs the server to decode (un-chunk and/or un-GZIP) an encoded request body before transfering it to the script. The script must be aware of this and change its processing accordingly. See 2.5 GZIP Encoding. |
| SCRIPT=CONTROL=<string> | Supply the specified string to the CGI processor as if the a script had provided it using a "Script-Control:" response header field. |
| SCRIPT=COMMAND=<string> | allows additional parameters and qualifiers to be passed to the script
activation command line. First parameter must be an asterisk to use the server
resolved script command. If the first parameter is not an asterisk it
substitutes for the script activation verb. Subsequent parameters must be as
they would be used on the command line. The following setting
set /cgi-bin/example* script=command="* /ONE /TWO=THREE FOUR"
would result in the hypothetical script being command-line activated
$ EXAMPLE /ONE /TWO=THREE FOUR
|
| SCRIPT=CPU=<hh:mm:ss> | specifies that the server should not allow the script to use more than the specified quantity of CPU time. This is approximate, due to the way the server administers scripting. It can serve to prevent scripts from consuming indefinite quantities of system resources. |
| SCRIPT=DEFAULT=<string> | sets the default directory for the script environment (a SET DEFAULT immediately prior to script activation). This can be suppressed (for backward compatibility purposes) using a "#" as the target directory. This string is reflected in CGI variable SCRIPT_DEFAULT so that CGIplus script and RTE engines can be informed of this setting for a particular script's environment. Unix syntax paths may also be specified. If the default begins with a "/" character the SET DEFAULT is not performed but the SCRIPT_DEFAULT variable is set appropriately allowing the equivalent of a chdir() to be performed by the scripting environment. |
| [NO]SCRIPT=FIND | by default the server always confirms the existance and accessability of a script file by searching for it before attempting to activate it. If it does not exist it reports an error. It may be possible a Run-Time Environment (RTE) may require to access its own script file via a mechanism available only to itself. The server script search may be disabled by SETing the path as nofind, for example "script=nofind". The script path and filename is directly passed to the RTE for it to process and activate. |
| SCRIPT=LIFETIME=<hh:mm:ss> | provides a per-path (and hence per-script) value for a script process zombie (idle scripting process) or idle CGIplus and RTE process lifetime. This per-path SETing overrides the respective [DclZombieLifeTime] and [DclCGIplusLifeTime] global directives. |
| SCRIPT=PARAM=<name=value> | allows non-CGI environment variables to be associated with a particular script
path. The name component becomes a variable containing the specified value
passed to the script. Multiple, comma-separated name=value pairs may be
specified. The value may be quoted. The following path setting
set /cgi-bin/example*
script=params=(first=one,second="Two (and Three)")
would result in additional CGI variables available to the script
WWW_FIRST == "one"
WWW_SECOND == "Two (and Three)"
Multiple script=params set against the one request override previous settings unless the parameters are specified with a leading plus symbol, as in set /cgi-bin/example* script=params=+(third=three,fourth="number 4")
|
| [NO]SCRIPT=PATH=FIND | directs the server to check for and report if the file specified in the path does not exist before activating the script process. Normally this would be left up to the script. |
| [NO]SCRIPT=QUERY=NONE | saves a small amount of overhead by suppressing the decomposition of any query string into key or form fields for those environments that do this for themselves. |
| [NO]SCRIPT=QUERY=RELAXED | normally when the CGI variables are being prepared for a script and the query string is parsed an error is reported if it uses x-www-form-urlencoded format and the encoding contains an error. However some scripts use non-strict encodings and this rule allows those scripts to receive the query strings without the server complaining first. |
| [NO]SCRIPT=SYNTAX=UNIX | provides the SCRIPT_FILENAME and PATH_TRANSLATED CGI variables in Unix file-system syntax rather than VMS file-system syntax (i.e. /DEVICE/dir1/dir2/file.type rather than DEVICE:[DIR1.DIR2]FILE.TYPE). |
| [NO]SCRIPT=SYMBOL=TRUNCATE | allows otherwise aborted script processing to continue. Script CGI variables are provided using DCL symbols. With VMS V7.3-2 and later symbol capacity is in excess of 8000 characters. For VMS V7.3-1 and earlier it has a limit of around 1000 characters. If a symbol is too large the server by default aborts the request generating a 500 HTTP status. If the above mapping is made (against the script path) excessive symbol values are truncated and such symbol names placed into a special CGI variable named SERVER_TRUNCATE. |
| Rule | Description |
|---|---|
| [NO]SSI=PRIV | SSI documents cannot contain privileged directives (e.g. <--#exec ... -->) unless owned by SYSTEM ([1,4]) or are in path set as allowing these directives. Use SSI=priv to enable this, NOSSI=priv to disable. Caution: these SSI directives are quite powerful, use great care when allowing any particular document author or authors to use them. |
| SSI=EXEC=<string> | where <string> is a comma-separated list of the #dcl parameters
permitted for the path allows fine-grained control of what capabilities are
enabled. The parameter "#" enables SSI on a per-path basis.
ssi=exec=say,show
ssi=exec=#
|
When enabling these variables it is advised to increase the WASD_CONFIG_GLOBAL [BufferSizeDclCommand] and [BufferSizeCgiPlusIn] directives by approximately 2048.
| Rule | Description |
|---|---|
| NOSSLCGI | disables the facility |
| SSLCGI=none | disables the facility |
| SSLCGI=Apache_mod_SSL | provides Apache mod_ssl style variables |
| SSLCGI=Apache_mod_SSL_extens | provides variables representing X509 V3 extensions from the server certificate |
| SSLCGI=Apache_mod_SSL_client | provides variables representing X509 V3 extensions from the client certificate |
| SSLCGI=Purveyor | provides Purveyor style variables |
| Rule | |
|---|---|
| THROTTLE=n[/u][,n,n,n,hh:mm:ss,hh:mm:ss] | |
| THROTTLE=FROM=<n> | |
| THROTTLE=USER=<u> | |
| THROTTLE=TO=<n> | |
| THROTTLE=RESUME=<n> | |
| THROTTLE=BUSY=<n> | |
| THROTTLE=TIMEOUT=QUEUE=<hh:mm:ss> | |
| THROTTLE=TIMEOUT=BUSY=<hh:mm:ss> |
These parallel the respective configuration timeout periods. See 6.2 Alphabetic Listing.
| Rule | Description |
|---|---|
| TIMEOUT=<hh:mm:ss>, <hh:mm:ss>,<hh:mm:ss> | Keep-alive, then no-progress, then output timeouts. |
| TIMEOUT=KEEPALIVE= <hh:mm:ss> | Keep idle network connections alive for this long. |
| TIMEOUT=NOPROGRESS= <hh:mm:ss> | Terminate connection when no data is transferred to the client for this period. |
| TIMEOUT=OUTPUT= <hh:mm:ss> | Terminate connection after this period when no response data has been sent. |
| NOTIMEOUT | No timeouts are applied to the request. |
| Rule | Description |
|---|---|
| WEBDAV=[NO]ALL | all requests using WebDAV processing (even if not WebDAV request) |
| WEBDAV=[NO]AUTH | authorise access using WebDAV rules (even if not WebDAV request) |
| WEBDAV=[NO]HIDDEN | list (default) or hide U*x hidden files (i.e. those with names beginning with period) |
| WEBDAV=[NO]LOCK | allow/apply WebDAV locking to this path |
| WEBDAV=[NO]PROFILE | WebDAV access according to SYSUAF profile |
| WEBDAV=[NO]PROP | allow/apply WebDAV 'dead' property(ies) to this path |
| WEBDAV=[NO]PUT=LOCK | a resource must be locked before a PUT is allowed |
| WEBDAV=[NO]READ | WebDAV methods allowed read this tree |
| WEBDAV=[NO]SERVER | WebDAV access as server account (best effort) |
| WEBDAV=[NO]WINPROP | when NOWINPROP windows properties are ignored and emulated |
| WEBDAV=[NO]WRITE | WebDAV methods allowed write to this path (implied read) |
| WEBDAV=LOCK=TIMEOUT=DEFAULT= | hh:mm:ss |
| WEBDAV=LOCK=TIMEOUT=MAX= | hh:mm:ss |
| WEBDAV=META=DIR= | per-path equivalent of global [WebDAVmetaDir] |
| Rule | Description |
|---|---|
| WEBSOCKET=INPUT=integer | Specifies the size of the WEBSOCKET_INPUT mailbox buffer; in bytes. |
| WEBSOCKET=OUTPUT=integer | Specifies the size of the WEBSOCKET_OUTPUT mailbox buffer; in bytes. |
Of course, as with all mapping rules, paths containing file types (extensions) may be specified so it is quite easy to apply settings to particular groups of files. Multiple settings may be made against the one path, merely separate set directives from each other with white-space. If a setting string is required to contain white-space enclose the string with single or double quotes, or curly brackets. The following example gives a small selection of potential uses.
Path SETings may appended to any rule that contains both a template and result. This makes it possible to apply path SETings using matching final rules. For example a matching PASS rule does not require a separate, preceding SET rule containing the same path to also apply required SETings. This is more efficient (requiring less pattern matching) and tends to make the rule set less cluttered.
Path mapping is required to get from web-space into file-space, and that mapping is not necessarily one-to-one. That is, /web/doc/ may not be WEB:[DOC] but for example, DKA0:[WEB.DOC] so that mapping would be
Mapping paths in reverse is needed to get something like DKA0:[WEB.DOC]THIS.TXT (that may come from a $SEARCH result) back into the web-space of /web/doc/this.txt. So WASD needs paths that may be mapped using the result back to the template. In simple mappings the one rule can serve both purposes. In some situations explicit, extra rules are needed.
The above example is trivial, and if WASD needs to turn something like DKA0:[DOC]THIS.TXT into a web-space representation (URI) it makes the file-space specification into URI syntax (i.e. /dka0/web/doc/this.txt) and then scans the rules comparing that to result strings in the MAP rules. When one matches, the template component is used to generate a web-space representation - the reverse of what was done when the request was initially being processed.
The non-trivial example is often associated with concealed, search-list devices. For example, the somewhat contrived
In such a case there is a need to add explicit reverse-mapping rules (often immediately following the forward mapping rule for convenience of grouping, but rules are also a little position sensitive so some skill is required) for the purpose of getting the underlying file specifications into a form for web consumption. In the above scenario an example would be
It is not always straight-forward and sometimes a decision is necessary about how the web-space is to be presented to the clients. For instance, while you easily can have multiple web-space views of the one file-space area, it is less straight-forward to have multiple web-space reverse mappings of the one file-space (as normally only the first matching rule will ever be reverse-mapped).
The example mapping rule file for the WASD HTTP server can be viewed.
The result string of these rules may or may not correspond to to a VMS physical file system path. Either way the resulting rule is further processed before passing or failing.
And to a non-standard port number
As described in 2.4 Virtual Services, virtual service syntax may be used with mapping rules to selectively apply rules to one specific service. This example provides the essentials of using this syntax. Note that service-specific and service-common rules may be mixed in any order allowing common mappings (e.g. for scripting) to be shared.
The Server Administration page WATCH report provides the capability to view the rule databse as well as rule mapping during actual request processing, using the WATCH facility.
As this has been deprecated for some years now the documentation for this functionality has been removed.
For backward-reference see the "WASD Hypertext Services - Technical Overview" document for release v9.3 or earlier.
The convention for specifying user web areas is "/~username/". The basic idea is that the user's web-available file-space is mapped into the request in place of the tilde and username.
The USER rule maps a VMS user account default device and directory (i.e. home directory) into a request path (10.5.3 USER Rule). That is, the base location for the request is obtained from the VMS systems SYSUAF file. A user's home directory information is cached, to reduce load on the authorization databases. As this information is usually quite static there is no timeout period on such information (although it may be flushed to make room for other user's). Cache contents is include in the Mapping Rules Report and is implicitly flushed when the server's rules are reloaded.
The following is a typical usage of the rule.
Note the "/www" subdirectory component. It is stongly recommended that users never be mapped into their top-level, but into a web-specific subdirectory. This effectively "sandboxes" Web access to that subdirectory hierarchy, allowing the user privacy elsewhere in the home area.
To accomodate request user paths that do not incorporate a trailing delimiter after the username the following redirect may be used to cause the browser to re-request with a more appropriate path (make sure it follows the USER rule).
WASD also "reverse maps" VMS specifications into paths and so requires additional rules to provide these mappings. (Reverse mapping is required during directory listings and error reporting.) For the continuing example the following rules would be required (and in the stated order).
Where user home directories are spread over multiple devices (physical or concealed logical) a reverse-mapping rule would be required for each. Consider the following situation, where user directories are distributed across these devices (concealed logicals)
This would require the following mapping rules (in the stated order).
Accounts with a search list as a default device (e.g. SYS$SYSROOT) present particular complications in this schema and should be avoided.
Of course vanilla mapping rules may be used to provide for special cases. For instance, if there is requirement for a particular, privileged account to have a user mapping that could be provided as in the following (rather exagerated) example.
In some situations it may be desirable to allow the average Web user to experiment with or implement scripts. With WASD 7.1 and later, and VMS V6.2 and later, this is possible. Detached scripting must be enabled, the /PERSONA startup qualifier used, and appropriate mapping rules in place. If the SET "script=as=" mapping rule specifies a tilde character then for a user request the mapped SYSUAF username is substituted.
The following example shows the essentials of setting up a user environment where access to a subdirectory in the user's home directory, [.WWW] with script's located in a subdirectory of that, [.WWW.CGI-BIN].
For more detailed information see the "Scripting Overview, Introduction".
As this has been deprecated for some years now the documentation for this functionality has been removed.
For backward-reference see the "WASD Hypertext Services - Technical Overview" document for release v9.3 or earlier.
Cross-site HTTP requests are HTTP requests for resources from a domain different to the domain of the resource making the request. For instance, a resource loaded from domain one (http://domain.example) such as an HTML web page, makes a request for a resource on domain two (http://domain.foo), such as an image, using the img element (http://domain.foo/image.jpg). This occurs very commonly on the web today. Pages load a number of resources in a cross-site manner, including CSS stylesheets, images and scripts, and other resources.
Cross-site HTTP requests initiated from within browser-based applications have been subject to well-known restrictions, for well-understood security reasons. In particular, this meant that an actively processing web application could only make HTTP requests to the domain it was loaded from, and not to other domains. Developers expressed the desire to safely evolve capabilities to make cross-site requests, for better, safer web applications. The Web Applications Working Group within the W3C has recommended the new Cross-Origin Resource Sharing (CORS) mechanism, which provides a way for web servers to support cross-site access controls, which enable secure cross-site data transfers.
This section is not a CORS reference, just the WASD implementation. Readers are referred to more authoritative CORS resources.
WASD supports CORS using mapping rules. This means cross-origin requests are evaluated prior to accessing any resources or activating any scripts, etc. If the request has an "Origin: .." header and the path has been set cors=origin=.. the server performs preflighted and request checks. If CORS authorised adds CORS response headers. If not CORS authorised adds nothing. Some significant understanding of the purpose and operation of CORS is required to tailor the provision of the required response headers.
| Rule | Description |
|---|---|
| CORS=AGE=integer seconds | Access-Control-Max-Age: response header |
| CORS=CRED=true|false | Access-Control-Allow-Credentials: response header |
| CORS=EXPOSE=header[,header2,header3] | Access-Control-Expose-Headers: response header |
| CORS=HEADERS= | Access-Control-Allow-Headers: response header |
| CORS=METHODS=method[,method2,method3] | Access-Control-Allow-Methods: response header |
| CORS=ORIGIN=URL | Access-Control-Allow-Origin: response header |
For a request containing
For a request containing
| ↩︎ | ↖︎ | ↑︎ | ↘︎ | ↪︎ |