/*****************************************************************************/ /* version.h VERSION HISTORY --------------- 03-DEC-2024 MGD v12.3.0, (provisionally) /DO=AUTH=SKELKEY= extend skeleton-key functionality WATCH now can generate standlone report file WATCH can collect data in a "detached" mode WATCH can collect data after network "trigger" WATCH cipher octets only when [x]SSL is checked WATCH "rabbit hole" restriction removed with revised strategy /DO=ZERO=HTTP2 refine HTTP/2 flow control Http2FlowCheck() and WASD_HTTP2_FLOW_CHECK logical name [SRC.LIBZ] and WASD_LIBZ_SHR32 HttpdSystemInfo() SYI$_CPUID to get underlying x86-64 CPU refine/expand server process log reports RequestLogNBG() to access log NBG request TcpIpSocketMaxQio() remove TLS-specific ->TcpMaxQio SesolaNetIoPerMinute() allows socket read size to be set SesolaCme.c supports ALPN-TLS-01 (acme-tls/1) DclMemBuf.C as promised (in 2017)) counters moved to accounting proxy FTP obsolete bugfix; DclTaskRunDown() REQUEST_STATE_SHUTDOWN rare $FORCEX bugfix; DirFormatLayout() return SS$_RESULTOVF bugfix; FileNextBlocks() StrDscBegin() bugfix; DclScriptProcessCompletionAST() remove IO$_WRITEOF bugfix; RequestEnd2() some statistics bugfix; RequestDiscardBody() regression bugfix; LoggingDo() abs(rqptr->rqResponse.Duration64) bugfix; Sesola_netio_read_ex() ->TcpMaxQio to ->TcpMaxSeg subtly broke (very) large reads, back to v12.0.0 strategy bugfix; request I/O accounting with HTTP/2 bugfix; HpackHeadersFrame() >= CookieSize bugfix; allow service name devoid of alphabetics (e.g. 10-8.) bugfix; ProxyTunnelLogicalName() SYSNAM for PSL$C_EXEC bugfix; DECnetSupervisor() remove orphaned tasks 16-JAN-2024 MGD v12.2.0, OpenSSL 3.0.n now the baseline supported version Can still be built and run against OpenSSL 1.1.1 OpenSSL TLS 1.3 requires SSL_CTX_set_cipher_suites() OpenSSL v1.1.1 emulate v3.0.n OSSL_default_ciphersuites() and OSSL_default_cipher_list() GATEWAY_SYMBOLS standard CGI variable #WASD_CONFIG_GLOBAL [Accept] and [Reject] now accept file specifications allowing files of patterns to be loaded /DO=ACCEPT and /DO=REJECT allow reloading of above /DO=REJECT=PURGE[=] allows purging of $STATUS IPs NetReject..() module allows more sophisticated accept/reject allow CIDR n.n.n.n/n patterns allow IP range n.n.n.n-n.n.n.n patterns $DNS, $LOG, $NOTE, $OPCOM, $4/5nn with $400, $403 $4/5nn maps a specific HTTP status to rejected IPs [SSLcipherSuites] for TLSv1.3 [ServiceSSLcipherSuites] for TLSv1.3 [AuthParam] and AuthConfigParam() provides per-realm params FaolSAK() 'UQ' and 'XQ' unsigned and hexdeciaml quadwords SesolaCertVerifyCallback() and SesolaClientCert() use new algorithm for determining client certificate validity X509 Authorization parameters can now include [IG:] will ignore client cert verification error number returned during the verification process (see prologue to AuthConfigParam()) logical name WASD_WATCH_ONE_SHOT defines one-shot items ensure all WASD_ROOT:[] are WASD_: HttpdSysOutDaily() per-day progessive snapshot of server log Http2Supervisor() mitigate Rapid Reset CVE-2023-44487 DclTaskRecover() periodically recover scripting resources HTTP/2 refinements using https://github.com/summerwind/h2spec bugfix; DirFormatAcpInfoAst() 64 bit file size bugfix; FileAcpInfoAst() 64 bit file size bugfix; DavPropLive() 64 bit file size bugfix; SesolaWatchPeek() do NOT SSL_free()! bugfix; braindead SesolaServiceSameCA() bugfix; OdsDirect() [again!] if (odsptr->DirectWildcard[0] && !odsptr->DirectVersion0) status = RMS$_NMF; 08-JAN-2023 MGD v12.1.0, WASD_CONFIG_INLINE configuration file SESOLA123 and SESOLA321 to allow OpenSSL-3.0 and OpenSSL-1.1.1 to be built using the same object code SesolaServiceSameCA() mitigate OpenSSL-3.0 expense TcpIpSocketMaxQio() adjust send buffer 2x (unless explicit) TcpIpSocketSndBuf() and ..RcvBuf() selectively applied ResponseHeader() default "content-security-policy:" move onclick=s to addEventListener()s to support content-security-policy: 'strict-dynamic' NetListFor() include client IP port, rework truncation AdminMenu() [Request+] report NetWrite() drop any and all HTTP status 418 (e.g. DCL script) Sesola..() remove code support prior to OpenSSL 1.1.0 SysLogInit() and SysLogOpcom() and WASD_SYSLOG logical name OdsAccessCheck() and logical name WASD_ODS_ACCESS_CHECK metacon remote-addr: and remote-name: tests if DNS resolution succeeded (if equal then name equals address and failed) RequestDiscardBody() use ->rqBody.ContentCount64 DECnetEnd() "solution" to obscure corner-case behaviour [NoticeInvalid] global configuration /DO=NOTICE=INVALID= /DO=OPCOM="" pre-v10.0 file name munging via v10orPrev10() eliminated while every care has been exercised with null-terminated string overflow; strzcpy() and strzcat() now ubiquitous bugfix; PutDelete() missing OdsStructInit(&SearchOds,true); bugfix; NetAbortSocket() deliver any outstanding read and/or write ASTs (especially for HTTP/2 streams) bugfix; ProxyTunnelLogicalName(NULL) from HttpdTick() bugfix; HttpdSupervisor() HTTP/2 request timeout/no-progress bugfix; ProxyTunnelBegin() not ProxyTunnelRebuildRequest() PROXY_TUNNEL_HTTP and PROXY_TUNNEL_HTTPS should NetRead() bugfix; DECnetWriteRequestBody() tkptr->QueuedDECnetIO++; 05-OCT-2022 MGD v12.0.1, strsame() now implemented using str[n]casecmp() bugfix; OdsDirect() end of records (-1) in end file block bugfix; when using file cache magic buffers bugfix; AuthorizeRealm() greater-than not -or-equal-to ->LastAccessMinutesAgo > ->rqAuth.RevalidateTimeout 23-OCT-2021 MGD v12.0.0, So long, farewell, Auf Wiedersehen, goodnight (-VAX) (comprehensive move to native 64 bit data storage) continuing port to x86-64 (OpenVMS V9.1-A) verified builds against and operates with OpenSSL 3.0 (but not offically supported due to OpenSSL 3.0 issues) accomodate PIPE from WASD_ROOT:[SRC.UTILS]WASTEE.C TcpIpAlt..() experimental address/name lookup BSD 4.4 sockaddr.. IO$M_EXTEND to $QIO (per MB) proxy caching has been obsoleted proxy SOCKS5 connect support scripting process naming revised (perhaps even enhanced) agent scripting extended and formalised for v12... AGENT-BEGIN: and AGENT-END: callouts CGI: and DICT: callouts /DO=DCL=PROCTOR=APPLY /DO=DCL=PROCTOR=LOAD /DO=NET=LIST /DO=NET=PURGE=HTTP1 /DO=NET=PURGE=HTTP2 logging 'XX:blb' visual aid AdminPing() provides a baseline RTT for request processing SET proxy=rework= (replacement strings for response) SET response=var=asis (provide exact image of on-disk file) SET webdav=all (process all requests via WebDAV code) SET webdav=auth (authorise access using WebDAV SETings) metacon webdav:all (SETing of above) metacon webdav:auth (SETing of above) pass /whatever "200 $" executes CLI command !#-- and !#++ selectively disable/(re)enable WATCH reporting [ServiceConnect] respond to a connection on a port WATCH: proctored script by checking only [x]Script OdsFileAcpInfo() ATR$C_MODDATE (date-time *data* modified) supplements ATR$C_REVDATE (classic revision date-time) callout HTTP-STATUS: detect if a script has responded yet DavWebRequest() specifically handle WebDAV GET and HEAD DavMetaOds() ensure extended syntax only used ODS-5 volumes AuthAccessEnable() file access use (rqptr->WebDavRequest || rqptr->WhiffOfWebDav || rqptr->rqPathSet.WebDavAuth) AuthParseAuthorization() return AUTH_DENIED_BY_LOGIN if unknown scheme allowing 401 response rather than 403 FaoBigNumber() '&,' optionally numbers 'P', 'G', 'M', 'k' SesolaMkCertRetain() stores dynamic cert in process logical WatchData() and WatchDataDump() constrain length NetListFor() use of $BRKTHRU requires OPER privilege bugfix; Http2Supervisor() idle connection bugfix; SesolaNetIoRead() /bytes = value/ bugfix; FileBegin() ERROR_REPORTED() free file task bugfix; CliDemo and instance environment number (per KM) bugfix; CgiGenerateVariables() "AUTHAGENT hangs when called for a POST request" (per JPP) bugfix; DclCalloutDefault() CLIENT-READ: bugfix; AdminMenu() activity hours 672 bugfix; MapOdsAdsVmsToUrl() "if (SAME2(cptr,':['))" bugfix; OdsDirectSearch() appending the resultant file name to the pre-filled expanded name bugfix; DavMetaCreateDir() and DavMetaDeleteDir() allow for non-existant meta data files bugfix; DavMetaName() no meta directory bugfix; ErrorReportFooter() use request heap for signature 17-AUG-2020 MGD v11.5.1, Http2RequestData() reduce memory consumption HTTP2_DEFAULT_WINDOW_SIZE from 1048575 to 131070 if no service configured create http: and https: ex nihilo VmCheckPgFlLimit() and WASD_VM_PGFL_LIMIT logical name keep connect cert (->VerifyPeer) distinct from client cert bugfix; ProxyEnd() fix NetIoEnd() fix bugfix; OdsDirectSearch() if wildcard specification return RMS$_NMF, otherwise RMS$_FNF (seems so elementary) bugfix; Http2RequestCancel() cancel and abort bugfix; RequestEnd() redirection bugfix; SesolaALPNCallback() 'h2' global and service enabled bugfix; ControlDoHelp() remove non-existant DISCONNECT=.. bugfix; RequestExecutePostAuth1() INTERNAL_PASSWORD_CHANGE should call HtAdminBegin() not AdminBegin() bugfix; SesolaSNICallback() needs to propagate newly set context client verify parameters to SSL-specific bugfix; SesolaNetFree() ensure (sigh) X509_free() where ->ClientCertPtr associated with connection (i.e. HTTP/2) bugfix; RequestParseExecute() ensure PUT and DELETE have WebDAV header field(s) before considering WebDAV 22-JUL-2020 MGD v11.5.0, "Stay well..." static fallback cert replaced by dynamic SesolaMkCert() protocol "HTTP/2" also reported in standard log formats DavWebRequest() remove requirement for logical name WASD_HTTP2_WEBDAV after WebDAV over HTTP/2 tested NetIoQioMaxSeg() tune QIO to TCP MSS verified against VSI SSL111 product SET response=c sp= ("content-security-policy:") https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP SET response=cspro= ("..policy-report-only:") metacon alpn: (TLS application level protocol negotiation) metacon proctor: (obvious proctored script clause) DCL callout CSP: ("content-security-policy:") DCL callout CSPRO: ("..policy-report-only:") REGEX.C updated (ever-so-slightly) more proxy persistent connection (per JPP) RequestAbort() accomodates HttpdSupervisor() refinement and REQUEST_STATE_ABORT used throughout server Http2RequestData() delivers Http2RequestCancel() read AST NetTestSupevisor() and WASD_NET_TEST_BREAK logical name bugfix; ProxyEnd() free ioptr using NetIoEnd() bugfix; NetIoWriteStatus() and NetIoReadStatus() bugfix; RequestPersistentConnection() pipelined request bugfix; Http2RequestData() flow control bugfix; SesolaClientCertGet() SSL_VERIFY_POST_HANDSHAKE bugfix; httpd.c if (!CliDemo) HttpdGblSecInit(); bugfix; MetaConConditionalList() bu**ered bugfix; RequestProcessFields() DictLookup (.."accept"..) bugfix; SesolaCertExtension() BIO_NOCLOSE memory leak bugfix; CacheLoadEnd() free rqCache.ContentPtr on fail bugfix; DICT.C "tmptr && tmptr->clink.." bugfix; Http2Priority() exclusive bit bugfix; NetCreateService() only SesolaInitService() once bugfix; WatchDataDump() CHARS_PER_LINE calculation (sigh) bugfix; OdsDirectSearch() RMS$_FNF not RMS$_NMF (per JPP) bugfix; RequestShareBegin() if (!MATCH6 (cptr, "raw://")) bugfix; SesolaNetClientBegin() SESOLA_SINCE_110 BIO_set_data() before SSL_set_bio() (per JPP) bugfix; AdminParsePath() extraneous OdsParseRelease() bugfix; OdsDirectSearch() only if not already on the block boundary add one to get to next, otherwise already there! 20-JUL-2019 MGD v11.4.0, "One small step ..." 25th Anniversary Release (see 20-JUN-1994 below) adapt WatchSystemPlus() to allow use via CLI /SYSPLUS then dignified with a (sysPlus..()) module of its very own /OUTPUT= (in particular for /SYSPLUS) HttpdSupervisor() explicitly WatchEnd() Sesola_netio_read() and Sesola_netio_write() if connection broken (channel zero) return zero (SSL shutdown) SET response=200=203 for request tracking and log analysis ResponseHiss() response status changed from 403 to 203 status code 418 (teapot) forces connection drop allow a specified port when redirecting, i.e. http[s]//:nnn Sesola_netio_read_ast() 0 status TCP/IP Services? Sesola_netio_write_ast() 0 status TCP/IP Services? bugfix; SesolaClientCertGet() status 0 an issue bugfix; SesolaClientCertGet() if (value <= 0) break; bugfix; CgiOutput() Content-Length: strtoul() bugfix; SesolaClientCert() allow pattern per 25-AUG-2015 bugfix; SesolaCertExtension() storage reset bugfix; SesolaCertParseDn() regression (or whatever) bugfix; Http2NetQueueWrite() PEEK_8 at w2ptr->type bugfix; non-local without "Host:" use name not host:port bugfix; Http2RequestEnd() copy tally rx/tx to request bugfix; OdsDirectSearch() (uint)0xffff && rlen < 508) bugfix; AuthCompleted() and AuthNotComplete() to address AST delivery following request end and rundown bugfix; for bugfix StringSliceValue() kludge allow for DECnet connection string specified username bugfix; DavMetaDir() ACCVIO from !SAME2(mfdptr,'[.') 24-NOV-2018 MGD v11.3.0 verified against OpenSSL v1.0.2 && v1.1.0 && v1.1.1 TLSv1.3 operational verified against EXPAT v2.2.5 (for WebDAV purposes) (but reverted to v2.0.1 for final VAX WASD release) VM.C eliminate dynamic tuning of heap initial allocation and rework to allow detailed memory management statistics to be compiled into the runtime for development purposes ODS (FILES-11) directory parser WatchSystemPlus() et.al. for system troubleshooting RequestBegin() exit after consecutive SesolaNetBegin() fails DavWebRundown() explicitly abort WebDAV processing allow logical name content during one-to-one rule mapping refactor WatchWrite() using NetWriteBuffered() DclTaskRunDown() always use DclEmptySysOutput() [BufferQuotaDclOutput] BUFQUO value for SYS$OUTPUT mailbox refactor Http2RequestCancel() into Http2RequestCancelRead() and Http2RequestCancelWrite() ProxyRequestRebuild() proxy-authorization opaque: ProxyTunnelLogicalName() WASD_TUNNEL_SECONDS RequestGet() and ProxyTunnelNetReadAst() provide "X-Forwarded-For:" client host to proxied-to server /DO=REQUEST=RUNDOWN=.. /DO=ZERO=STATUS /DO=SSL=SERVICE=LOAD[=] no longer works SET response=var=crlf SET response=var=lf SET response=var=none bugfix; PutWriteFileOpen() override incompatible existing file characteristics by first erasing the file bugfix; seeming innumerable WebDAV fixes (some obvious, some obscure) many thanks to John Dite for his patience and persistence in finding and reporting anomalous behaviours (check the individual DAV...C modules for descriptions) bugfix; StringSliceValue() kludge for DECnet tasks bugfix; MetaConEvaluate() "webdav:MSagent" bugfix; DavWebMicrosoftDetect() before ->WebDavTaskPtr bugfix; X509_free() memory leak with ->ClientCertPtr bugfix; Http2NetIoWrite() blocking write data must be asynchronously persistent so employ internal buffer(s) bugfix; /DO=AUTH=SKELKEY=.. cluster wide (yet again :-) bugfix; SESOLA-OpenSSL memory leak at v11.0.0 bugfix; FileParseAst() regression with search list file bugfix; RequestRundown() allow for cache activity bugfix; WatchDataDump() CHARS_PER_LINE calculation bugfix; (longstanding) MapUrl__Map() multiple template wildcards when reverse mapping 01-MAR-2018 MGD v11.2.0 make WATCH item width flexible using initial value 6 digits with leading 3 digits HTTP/2 stream ID followed by 3 digits connection ID number and on overflow increment by 2 if |WASD_ENV| defined use that in absence of /ENV=.. Dav..() always DavWebEnd() not RequestEnd() WebDAV "authorisation" allowed to be EXTERNAL or OPAQUE RequestRundown() outstanding task sanity checks HttpdSupervisor() refactored timeout handling ProxyTunnelLogicalName() and WASD_TUNNEL to provide client host and port tunnel data available to the WASD system activated by SET..PROXY=FORWARDED=[FOR|ADDRESS] logging 'II' image information (file, version, link time) logging 'TI' request time in ISO 8601 extended format logging 'TS' (sortable) UTC request time ISO 8601 format logging 'TU' request time UTC (GMT) now synonym for 'TG' stamp (note) log events when common/combined with/without+ SET DIR=TITLE=[default|owner|remote||this=] /DO=HELP brief summary of command-line /DOs /DO=SSL=SERVICE=LOAD[= (re)load SSL context (/DO=SSL=CERT=LOAD is now implemented using this) /DO=STATUS report basic status of all instances /DO=STATUS=NOW instances immediately update status information /DO=STATUS=PURGE zero stale instance status information /DO=STATUS=RESET zero instance status information /NOTE= annotation to server process log refactor WatchEnd() (yet again) DclInit() do not adjust SYS$OUTPUT mailbox size when HTTP/2 is enabled, issue an informational as required DclMemBuf..() memory buffer script IPC (see DCLMEMBUF.C) callout BUFFER-BEGIN: callout BUFFER-END: callout BUFFER-WRITE: SesolaReport() allow reporting using an HTTP service CgiOutput() refine Content-Length: to report out-of-range CgiOutput() reject subsequent non-header WatchReport() move SSL item into Network group WatchShowCluster() and WatchShowSystem() VMS V6.2 obsolete bugfix; (longstanding) InstanceSocketForAdmin() sys$deq() bugfix; Http2..() window update and flow control management bugfix; logging 'BB' header length "lost" during HTTP/2 mods bugfix; nil content CGI responses not delivered bugfix; (long-standing) always use UpdEnd() not SysDclAst() bugfix; CgiGenerateVariables() |rqptr->rqAuth.SourceRealm != AUTH_SOURCE_AGENT_OPAQUE &&| 09-AUG-2017 MGD v11.1.1 relax HTTP/2 "rabbit hole" to permit WATCHing except for items [x]HTTP/2, [x]SSL and [x]network /INSTANCE=CONFIG ensures config values used SesolaClientCertRenegotiate() allow for pre- and post- OpenSSL 1.1.0 due to MSIE11 (Edge) stalling on a read after renegotiation (pre reverts to v11.0 and earlier code) SesolaInitService() when SSL_CTX_set_tmp_dh_callback() is enabled (DH_PARAM_*.PEM files present) ensure flag SSL_OP_CIPHER_SERVER_PREFERENCE is implicitly set MapUrl_GuaranteeAccess() mapping as well as authorisation Authorize() move AuthorizeGuaranteeAccess() up-front to ensure access to guaranteed paths not only with failure StringSliceValue() allow quote-delim inside space-delimited bugfix; rationalise as OpenSSL_version[_num]() becomes confused catering for OpenSSL v1.0.2 && v1.1.0 && v1.1.1 bugfix; HttpdSupervisor() do RequestRundown() only the once bugfix; DclCalloutDefault() NOTICED: and OPCOM: responses bugfix; DclScriptProctor() request is not actually "!!*!" bugfix; HpackHeadersFrame() use ":authority" pseudo-header for "Host:" header according to RFC7540 8.1.2.3 bugfix; SesolaCertExtension() generate UPN independently for each of pre- and post- OpenSSL 1.1.n bugfix; SesolaClientCertConditional() 'IS' processing bugfix; SesolaClientCertRenegotiate() allow for low-level (i.e. SSL) I/O errors (e.g. link disconnection) bugfix; LoggingDo() 'SR' silliness from v11.0 rework bugfix; MapUrl_ExplainPathSet() response=header=add=.. bugfix; for HTTP/2 (sigh) we need NPH to generate a header bugfix; session ticket key refresh (must be one of those...) 04-MAY-2017 MGD v11.1.0, "Raw"Socket based on WebSocket infrastructure [DclScriptProctor] * general idle process(es) [ServiceRawSocket] enables a RawSocket [ServiceSSLcert] specification can contain wildcard(s) SET proxy=header=[=] logging 'CL' insert request content-length logging 'PL' insert PUT or POST body received count Sesola..() refinements for OpenSSL v1.1.1 and TLS 1.3 sesola.h |#include "openssl/rand.h"| to fix OpenSSL v1.1.0 static link error against rand_bytes() and rand_seed() SesolaNetThisIsSSL() allow redirection to include scheme /DO=SSL=CERT=LOAD ... basically for internal use only! (heads-up: planned Let's Encrypt CME utility :-) Graph..() activity graphic now implemented using HTML5 canvas ResponseHeader() ensure non-printables cannot be injected InstanceSessionTicketKey() rework multi-instance/cluster (sigh! yes again; the lack of a test cluster these days) DirDirectories() do not list "hidden" (^.the.DIR) directories bugfix; use rqHeader.RequestBody.. for body with header bugfix; DclScriptProctor() v11.0 request structure requires dictionary and netio structures bugfix; SesolaNetIoRead() SSL_read() in-progress bugfix; Http2RequestEnd() end-of-request (control) frame independent of request itself bugfix; Http2NetQueueWrite() and Http2NetWriteDataAst() blocking writes are not placed on the request's write list as they are transparent to the request bugfix; Http2NetQueueWrite() deliver via NetIoWriteStatus() using SS$_NORMAL (HTTP/2 I/O) not the request ->VmsStatus bugfix; SesolaControlReloadCA() do not proactively X509_STORE_free() (leaves a dangling pointer?) bugfix; SesolaSNICallback() port elimination bugfix; RequestExecutePostCache() keyword redirection count 25-AUG-2016 MGD v11.0.2, Http2RequestBegin() ensure stream ident not reused increase MAX_REQUEST_HEADER from 16384 to 32768 InstanceSessionTicketKey() rework multi-instance rotate CgiGenerateVariables() mitigate httpoxy vulnerability MsgConfigLoadCallback() make [ismap] optional ParseCommandInteger() accept just an integer CLI /INSTANCE= now sets global section |InstanceMax| to allow the created process to continue to exist and when used needs to be reset with the likes of /INSTANCE=1 minimum supported OpenSSL version is now v1.0.0 which precludes HP SSL V1.4 (at least) OpenSSL v1.1.0 required code changes including #if (OPENSSL_VERSION_NUMBER < 0x10100000L) in Sesola..() modules, and introducing a version dependent build SesolaClientCertRenegotiate() rework due to OpenSSL v1.1.0 ResponseHeader() ->rqCgi.ScriptControlHttpStatus will allow an error reporting script to override the original status CGI Script-Control: X-http-status= %SSL-x-STRICT (RFC6797) now described as %SSL-x-STRICT, HSTS bugfix; Http2RequestData() always deliver via NetIoReadAst() bugfix; HpackHeadersFrame() uncompressed header size bugfix; CgiGenerateVariables() names from dictionary bugfix; MetaConEvaluate() request: regression bugfix; RequestProcessFields() if-range: regression bugfix; MetaConEvaluate() client_connect_gt: regression bugfix; SesolaClientCert() move X509 RENEGOTIATE switch HTTP/2 to HTTP/1.1 after SSL_get_peer_certificate() 30-JUN-2016 MGD v11.0.1, meta config [[wasd*n.n.n]] server version conditional [SSLsessionLifetime] session ticket (or ID) lifetime [SSLverifyPeerDataMax] see documentation [ServiceSSLsessionLifetime] per-service equivalent [ServiceSSLverifyPeerDataMax] per-service equivalent [SSLsessionCacheMax] default (of zero) now disables in favour of the more efficient Session Ticket SesolaSessionTicket..() refresh and coordinate the TLS session ticket key cluster-wide using the DLM InstanceSupervisor() refresh session ticket key at midnight RequestGblSecUpdate() method and URI only printable chars ProxyTunnelRequestParse() append mapped path for logging DirFiles() and DavPropSearchAst() ignore ambiguous file names containing an escaped ("^.") period but no type ErrorRedirectQueryString() ERROR_URI variable bugfix; MapOdsUrlToOds5Vms() URLs will not contain '^'-escaped sequences so just '^'-escape them bugfix; SesolaClientCertRenegotiate() ensure request data cleared before renegotiate ([SSLverifyPeerDataMax]) bugfix; DclTaskRundown() cancel HTTP/2 client read bugfix; HttpdSupervisor() accumulate proxy accounting data bugfix; RequestEnd2() decrement processing rx or (SSH) method bugfix; RequestEnd2() read status OK -or- ENDOFFILE bugfix; HpackHeadersFrame() multiple to single cookie header bugfix; MetaConEvaluate() request-scheme: regression bugfix; NetWrite() response header write error handling bugfix; SesolaClientCert() just return status 07-MAY-2016 MGD v11.0.0, HTTP/2 (RFC7540, RFC7541) restructure network I/O abstractions (oh boy!) key-value dictionary (associative array) abstraction add "Refresh [integer] Seconds" to appropriate reports ProxyFtpListOutput() update in line with directory listing SET dict[=[=]] SET http2=protocol=1.1 SET http2=send=goaway[=] SET http2=send=ping SET http2=send=reset[=] SET http2=write=[low|normal|high] metacon dict:, http2: and request-protocol: [HTTP2..] global configuration [TimeoutHttp2Idle] logging 'DI' insert specified dictionary item value /DO=HTTP2=PURGE[=] ensure timed-out requests are logged as 408/500 excise much of the twenty years of reporting HTML cruft obsolete ismap.c, filedot.c, menu.c and track.c functionality 22-APR-2016 MGD v10.4.3 (unreleased), logging 'NP' insert notepad value logging 'XX' insert custom site/client-specific datum SET sslcgi=apache_mod_ssl_client SET sslcgi=apache_mod_ssl_extens LoggingDo() MAX_FAO_VECTOR from 64 to 128 SSL_CTX_set_ecdh_auto() set elliptic curves selection SesolaTmpDHCallback() improve DH*.PEM flexibility SesolaCertExtension() parse X509 extensions SesolaCertName() parse X509 distinguished name SesolaCgiVariablesExtension() document X509 extensions SesolaReport() list certificate extensions [ru:/CN=] allows multiple to be selected between (e.g. "[ru:/CN=user*]", "[ru:/CN=^^\[^/=\]*$]") SesolaCertParseDn() strncmp() not strsame() SesolaCertParseDn() select on pattern match StringMatchAndRegex() ensure |rqptr| not needed add limit to consecutive failures on persistent connection remove limit to consecutive requests on persistent connection TcpIpAddressToString() IPv4 in IPv6 as ::FFFF:n.n.n.n bugfix; ResponseHeader() for HEAD request transfer-encoding chunked suppress actual chunked body (RFC 7230 3.3) bugfix; SesolaInit() session cache max -1 disables cache bugfix; LoggingDo() elapsed time items bugfix; LoggingDo() 'CC' do not reuse pointers! bugfix; LoggingDo() 'VS' |->ServicePtr| dereference 15-AUG-2015 MGD v10.4.2, [ServiceStrictTransSec] (RFC6797) [SSLstrictTransSec] (RFC6797) SET response=sts= (Strict-Transport-Security:) ResponseHeader() Strict-Transport-Security: header add WATCH "!42*x" to beginning and ending of requests DavWebRequest() allow bodies with any and no Content-Type: then in DavWebRequest2() check for XML in the body content RequestRedirect() always use dynamic buffers when "remote-addr:" begins '?' translate host to IP address LoggingDo() add WASD_LOGS "convenience" logical name disable kludge; SesolaNetAccept() SSL3_ST_SR_CLNT_HELLO_C as the issue seems to have been fixed in OpenSSL v1.0.2c logical name WASD_REDIRECT_WILDCARD must be defined to enable "DNS wildcard" proxy redirection bugfix; [Cli]ParseCommand() parenthesis parsing bugfix; Request..() rework pipelined request handling bugfix; move supervisor PID from InstanceNodeSupervisor() to InstanceNodeSupervisorAst() bugfix; DavWebDestination() URI and URL (Total Commander) bugfix; Error..() earlier and broader detection of WebDAV bugfix; DavDeleteParse() enable access around OdsParse() bugfix; DavMoveMeta() do not report RMS$_DNF bugfix; FaoSAK() sdptr = StrDscBuffer(StrDscPtr); bugfix; DavXmlStartElement() PROPFIND accumulate list of dead properties subsequently searched for in the metadata bugfix; MapUrl_ExplainPathSet() ->ResponseChunked bugfix; CONFIG_SERVER_LOGS logical names precede fixed locale 12-FEB-2015 MGD v10.4.1, ProxyResponseRebuild() and ProxyRequestRebuild() provide timeout=n parameter with Keep-Alive: header field (some origin servers hang when no parameters supplied, per JPP) SesolaInitOptions() expand options keywords to include most SSL_OP_.. flags using the OpenSSL flag #define as the keyword minus the "SSL_" (e.g. OP_CIPHER_SERVER_PREFERENCE) SesolaTmpRSACallback() and SesolaTmpDHCallback() support for ephemeral keys enabling "forward secrecy" SesolaInitService() and SesolaInitClientService() if cipher list begins '+', '-' or '!' append it to default increase MAX_REQUEST_HEADER from 8192 to 16384 (proxying requests from Firefox to IIS, per JPP) kludge; SesolaNetAccept() SSL3_ST_SR_CLNT_HELLO_C bugfix; RequestEndEnd() use ZERO_DELTA_TIME macro bugfix; AuthCacheNeedsReval() AlreadyLocked (per JPP) bugfix; ConfigReportSecureSocket() FaoVector[32] 05-DEC-2014 MGD v10.4.0 CORS support /SSL=(TLSvALL,TLSv1.1,noTLSv1.1,TLSv1.2,noTLSv1.2) removed /SSL=(2|3|23) which must be altered to SSLv2, etc. NOTE: TLSv1, TLSv1.1, TLSv1.2 now ENABLED by default SSLv2 and SSLv3 are now DISABLED by default (as recommended post-POODLE) MapUrl_ClientAddress() allows for transparent upstream proxy ResponseStream() and request /stream/ AuthCacheNeedsReval() so multiple cache entries for the same credentials do not trigger multiple revalidations SsiEnd() detect and report non-SSI problem encountered access log buffer extended from [4096] to [16384] (UMA SAML) LoggingQuoted() explicitly encode some fields where a raw quotation mark (URI forbidden) can break a log entry HttpdExit() sanity check trace after %SYSTEM-F-ASTFLT stack corruption at (you guessed it) Uni Malaga resulted in the icb.libicb$v_bottom_of_stack never being set! tweaks to some accounting fields and values (for WASDmon) NetCreateService() check bind address string instead of address to allow binding primary to 0.0.0.0 (INADDR_ANY) directory default listing style now ed directory path SET ods=name=utf8 then response charset=utf-8 directory ?httpd=index&font=[inherit|monospace(D)] ?httpd=index&style=table[2] SET client=[forwarded|if=forwarded|literal=|reset| if=xforwardedfor|xforwardedfor] SET dir=font=[inherit|monospace(D)] dir=style=TABLE[2] (new default) SET cors=age= cors=cred=[true|false] cors=expose= cors=headers= cors=methods= cors=origin= SET ods=name=8bit, ods=name=utf8, ods=name=default SET webdav=[no]hidden webdav=meta=dir= [SecureSocket] and [SSL...] (overridden by /SSL=) [WebDAVmetaDir] sub or full directory for meta files WedDAV configurable metadata (sub)directory AuthAccessCheck() add explicit check against server account to improve reporting of underlying access User-defined logging directives 'CI', 'SR', 'SV' for SSL cipher, session reuse and version items COMMON+, COMMON_SERVER+, COMBINED+ composite log formats X-record0-mode[=0|1] and associated CGI null-record mode bugfix; and refine DirFormatSize() bugfix; SSLv23_method() appears to be a Swiss-army knife significant rework of SSL version configuration bugfix; TcpIpCacheAddressToName() memcpy null char bugfix; DavMetaOpenAst() retry after meta directory creation bugfix; DavPropEnd() ensure unused meta-data file deleted bugfix; MapOds5VmsToUrl() et.al. allow for ".][" bugfix; SAME3 0x00ffffff mask (not 0xffffff00) bugfix; DirFormatAcpInfoAst() ThisIsADirectory = false; bugfix; DavWebCreateDir() set SYSPRV access, propagate rest bugfix; PutWriteFileOpen() WebDAV should not use default protection mask and instead propagate from profile bugfix; FileParseAst() allow for non-dir .DIR files bugfix; RequestRedirect() allocate using (possibly expanded) header length (not fixed) when allocating POST buffer bugfix; PROXY.C no $QIO buffer should exceed 65535! 06-OCT-2013 MGD v10.3.0 TLS1 Server Name Indication (SNI) extension /SSL= parameter options rework (plus new mnemonic options) SesolaNetClientBegin() include SNI before connect PutWriteFileOpen() support FAB$C_STM and FAB$C_STMCR DclMailboxAcl() allow usernames without associated identifiers (i.e. shared UICs) by first trying with the username and on failure getting the UIC and using that FaoUrlEncodeTable tilde from "%7e" to "~" (cadaver issue) GzipInit() ZLIB shareable image via logical names WASD_LIBZ_SHR32, then GNV$LIBZSHR32, finally LIBZ_SHR32 PersonaAssume() wrap sys$persona_create() with SYSPRV after modifications to DclMailboxAcl() to allow usernames without associated identifiers (i.e. shared UICs) authorisation realm read-only group can be specified as "*" to represent that "everyone else" can read ProxyResponseRebuild() additional header length bumped from an ambit 256 to an ambit 1024 (Uni Malaga :-) OdsNamBlockAst() on non-ODS_EXTENDED platforms (i.e. VAX) tease-out system file name from Nam.nam$l_name and Nam.nam$l_type into odsptr->SysFileName buffer historically used by ODS-5 and munge for ODS-2 as well .WWW_WASD directory directive file sortable directory listing ?httpd=index&ilink=[yes|no] ?httpd=index&override=[yes|no] ?httpd=index&query= (.WWW_WASD specific) ?httpd=index&style= ?httpd=index&sort=[+|-] ?httpd=index&target= ?httpd=index&these=[,] ?httpd=index&versions=|* SET dir=delimit= SET dir=[no]ilink SET dir=style=sort (plus the dir=style=2) SET dir=sort=[+|-] SET dir=target= SET dir=these=[,] SET dir=versions=|* SET put=rfm=[STM|STMCR|UDF] added to FIX512,STMLF "upstream-addr:" conditional [AuthRevalidateLoginCookie] obsolete (in favour of ...) rqptr->AuthRevalidateCount to track empty authentication prompts preceding potential redundant revalidation prompt [PutBinaryRFM] add STM and STMCR [ServiceNonSSLRedirect] |[:] some refinements to Upd..() layout and functionality refine HTML and bring a little more up-to-date AUTH_MAX_USERNAME_LENGTH bumped from 47 to 64 for X509 FileAcpInfoAst() '$.' file extension kludge bugfix; AuthConfigLoadCallBack() additional [AuthProxy] with intervening rules should reset proxies bugfix; FileResponseHeader() "?httpd=content&type=" decoded bugfix; MapOds..() identify MFD using "000000]" and "000000." bugfix; AuthVmsGetUai() interaction of logon= parameters bugfix; UpdFileRename() ACCVIO with AuthAccessEnable() bugfix; RequestParseAndExecute2() remove reset of request persistent flag from OPTIONS and DELETE bugfix; SesolaInitService() (or refinement) SSL_CTX_set_session_id_context() against each service bugfix; DirFormatSize() bytes bugfix; OdsParseTerminate() on non-ODS_EXTENDED platforms (i.e. VAX) reset .nam$b_esl to changed expanded length or it can generate RMS$_ESL errors bugfix; DavPropSearchAst() on non-ODS_EXTENDED platforms (i.e. VAX) reset .nam$b_rsl to changed resultant length or it can generate RMS$_RSL errors bugfix; non-ODS_EXTENDED platforms (e.g. VAX) must OdsParse() NAM$M_NOCONCEAL before OdsSearchNoConceal() bugfix; MapUrl__Map() reverse mapping wildcard copy bugfix; CgiGenerateVariables() AUTH_GROUP write/read status bugfix; AuthClientHostGroup() wildcard match result reversed bugfix; ProxyResponseRebuild() call ProxyRebuildLocation() can return a pointer to the original location! bugfix; SesolaInit() translate WASD_SSL_CIPHER logical name 09-NOV-2012 MGD v10.2.0, TOKEN authorisation request header DNT (do not track) set ProxyReadBufferSize to 64k (per JPP) allow (proxy) ResponseBufferSize to be >= 64k (per JPP) HttpdSystemInfo() $GETSYIW() CsidVersion treat status SS$_UNREACHABLE as non-fatal and fallback to 16 byte LVB DIGEST.C numerious tweaks up to RFC2069 [AuthTokenEntriesMax] for token authorisation bugfix; HTAdminModifyUser() use database name for digest bugfix; AuthorizeResponse() digest scheme bugfix; AuthVmsGetUai() logon= fall through bugfix; DclSysOutputAst() WebSocket wrt agent bugfix; WebSockEnd() do not NetCloseSocket() bugfix; (at least improve) caching of group write/read bugfix; SesolaParseCertDn() return NULL if record not found bugfix; AuthorizeGroupWrite() with cached entries! bugfix; AuthReadSimpleList() parameter /DIRECTORY= processing 28-APR-2012 MGD v10.1.1, RequestGet() no longer report 408 for unused connections RequestEndEnd() likewise ignore unused connections (Chrome) MetaConLoad() compress non-signficant white-space proxy WebSocket upgrade requests as raw tunnels (kludge) DclRestartScript() refine WebSocket handling DirFormatSize() now uses quadword DirFormatSize() adjusts units to fit size width MATCH0..8() macro to improve efficiency over memcmp() SAME1..4() macro to abstract the *(USHORTPTR)s, etc. bugfix; RequestBegin() remove RequestEnd() following failed SesolaNetBegin() resulted in redundant request rundown bugfix; SesolaNetAccept() initialise value=0 bugfix; SesolaNetRead() SSL state not SSL_ST_OK bugfix; SesolaNetWrite() SSL state not SSL_ST_OK bugfix; DavWebMicrosoftMunge2() token reprocessing bugfix; FileAcpInfoAst() SS$_BADPARAM >2GB <4GB (per JPP) bugfix; WebSockCloseMailboxes() logic bugfix; DclScriptProcessCompletionAST() don't WebSockClose() any WebSocket request currrently associated with the task bugfix; RequestEndEnd() '->WebSocketCount' already locked 06-NOV-2011 MGD v10.1.0, dragged kicking and screaming to VMS V7.0 base build Web Socket (HTML5) support Secure Sockets default to SSL v3 and TLS v1 (no more SSL v2) SET cache=[no]cookie SET map=uri SET proxy=chain=cred= SET proxy=tunnel=request= SET regex= SET response=HTTP=original SET service= SET notimeout (short-hand for timeout=none,none,none) SET websocket= "origin:" conditional "request-peek:" conditional "upgrade:" conditional "websocket:" conditional [DclScriptProctor] (pro-)activate script/environments [RegEx] enabled/disabled/ [ServiceProxyChainCred] down-stream proxy credentials [WwwImplied] "www." is implied even with virtual services ("Host:") not beginning with it (ServiceFindVirtual()) callout LIFETIME: can accept callout SCRIPT-CONTROL:string (see DCL.C) logging 'PP' outgoing proxy connection local port /DO=ALIGN=.. to allow collection and analysis of Alpha and Itanium alignment fault data using HttpdAlignFault() et.al. /DO=NET=PURGE[=..] expanded capability /DO=WEBSOCKET=DISCONNECT[=..] to disconnect WebSockets /PRIORITY= limit increased from 6 to 15 SesolaInit() default is SSLv2 off and SSLv3/TLSv1 on AuthAgentCallout() callout BODY implemented (for PAPI) MapOdsUrlTo..() consecutive '/' into a single a la Unix ServiceReportNow() service synopsis ProxyTunnelChainConnect() chain proxy authorization ProxyRequestRebuild() chain proxy authorization (BASIC only) ServiceReportNow() add summary to service report configuration lines beginning "!#" now allow WATCHable during mapping and authorisation processing reworked query string handling based on length ServiceEntityMatch() processes in-match and if-not-match CacheSearch() implement request cache control CacheLoadResponse() checks response header for "Cache-Control:" directives and adjusts accordingly CacheLoadEnd() buffer all content-type data (previous behaviour truncated at ';' or white-space) MetaConLoad() ensure metacon "lines" are quadword aligned __unaligned directive added to pointer macros in a (successful) effort to avoid alignment faults VM_OFFSET now 8 (quadword alignment) instead of 4 bugfix; OdsFileExists() parse NAM$M_NOCONCEAL in case of multi-valued, concealed logical devices and then convert returned status DNF into the functional equivalent FNF bugfix; directory listing OdsSearchNoConceal() to process concealed, multi-value logical device names bugfix; RequestRedirect() only concat '&' if including query bugfix; set rule 'CacheSetting' boolean with any CACHE=.. 02-OCT-2010 MGD v10.0.3, command-line checks of configuration files /DO=AUTH=CHECK /DO=CONFIG=CHECK (all configuration files) /DO=GLOBAL=CHECK /DO=MAP=CHECK /DO=MSG=CHECK /DO=SERVICE=CHECK TcpIp6..() functions to resolve IPv6 AAAA records ProxyRequestParse() improve IPv6 host parsing bugfix; regression at 10.0.1 with proxy authorization bugfix; SSL_set_info_callback() not SSL_CTX_set..() 01-JUL-2010 MGD v10.0.2, metacon "file:" and "directory:" to probe file-system SET script=lifetime= SET put=max= per-path equivalent of [PutMaxKbytes] SET put=max=* for (effectively) unlimited upload BODY.C significant rework to function()alise common code BODY.C improve performance with multiblock of 127 (per JPP) BODY.C make MultipartContentType(Ptr) a dynamic structure as Microsoft endeavour to include application data along with MIME content-type, see ... http://msdn.microsoft.com/en-us/library/aa338205.aspx and an example (no kidding!) ... "application/vnd.ms.powerpoint.template.macroEnabled.12application/x-font" FileNextBlocks() change QIO file size from long to quad to cater for files greater than 4GB (4GB+ is limited to file serving only, no ranges, etc.) RequestExecutePostCache() UTF-8 decode WebDAV objects RequestRedirect() support WebDAV "Destination:" field (JPP) DclAllocateTask() default unconfigured CGIplus lifetime SsiDoSet() and SsiGetTagValue() allow '$' in variable names Mapurl_ControlReload() rather than Mapurl_Load() bugfix; MapUrl_ControlReload() bugfix; DclUpdateScriptNameCache() run-time pointer bugfix; OdsNamBlockAst() odsptr->NamFileSysNamePtr always set to odsptr->SysFileName in case RMS$_FNF, etc. bugfix; RequestGet() MAX_REQUEST_HEADER (per JPP) bugfix; allow METACON_TOKEN_INCLUDE for [IncludeFile] bugfix; MetaConEvaluate() when JustChecking: HTTP header fields (e.g. "cookie:") bugfix; DavMetaReadName() and DavMetaWriteName() allow for typeless file names (e.g. ]AFILE.;) bugfix; PutWriteFileOpen() ensure SYSPRV enabled before $ERASE() if not WebDAV request (access and ownership) (JPP) bugfix; DavWebSlashlessMunge() enable SYSPRV while calling OdsFileExists() (per JPP) bugfix; do not use REDIRECT for WebDAV request error report bugfix; no new token when refreshing existing lock (per JPP) bugfix; FileNextBlocks() signed/unsigned comparison when calculating buffer size on files larger than 2^31 bugfix; MapOdsUrlToOds5Vms() MapOdsElementsToVms() include '|' and '%' as ODS-5 escaped characters bugfix; DirAuthorizationAst() only check access on non-empty expanded file names bugfix; PutWriteFileOpen() ensure SYSPRV enabled before $CREATE() if not WebDAV request (for access and ownership) bugfix; FileNextBlocks() signed/unsigned comparison when calculating buffer size on files larger than 2^31 bugfix; MapOdsUrlToOds5Vms() MapOdsElementsToVms() include '|' as an ODS-5 escaped character bugfix; DirAuthorizationAst() only check access on non-empty expanded file names bugfix; PutWriteFileOpen() ensure SYSPRV enabled before $CREATE() if not WebDAV request (for access and ownership) bugfix; DirBegin() "httpd=index&" detection (since v9.3.0) bugfix; DirEnd() suppress unless RequestEnd() AST bugfix; SsiDoDcl() report cgi=/script= query string as error bugfix; UpdBegin() [goto] processing 01-MAR-2010 MGD v10.0.1, ProxyFtpListProcessUnix() names with white-space (per JPP) ProxyResponseRebuild() !"accept-encoding" (per JPP) make proxy requests subject to throttle (per JPP) MapUrl__Map() increase some buffer sizes (per JPP) RequestRedirect() add return length (overflow) check log format 'HO' request "Host:" field log format 'RH' any request header (e.g. "RH:cache-control:") log format 'VS' request virtual service According to http://www.ietf.org/rfc/rfc2145.txt a server should respond with the minor HTTP version reflecting its own compliance rather than the client's provided the response itself is compliant with the client minor version (i.e. HTTP/1.0 requests should get HTTP/1.1 in the response status line - and now implemented by ResponseHeader()) bugfix; LoggingDo() sys$flush(&RAB) not (&FAB) bugfix; LoggingDo() initialise (zero) &DummyRequest bugfix; ProxyMaintInit() use v10orPrev10() for scan (per JPP) bugfix; ProxyTunnelReadAst() data count tx (per JPP) bugfix; ConfigAcceptClientHostName() reject 29-NOV-2009 MGD v10.0.0, WebDAV 1,2 AuthAcmeVerifyUser() requires SECURITY privilege to allow ACME$M_NOAUTHORIZATION for authentication-only when using WASD_NIL_ACCESS identifier AuthAcmeVerifyUser() and AuthVmsGetUai() can now use [AuthSYSUAFlogonType] and/or an optional authorization rule parameter 'param="logon=.."' to specify the login type (default is still NETWORK) AuthRestrictAny() uses a single set of access restrictions ACME DOI name of '*' indicates use the default of ACME$LATEST_ENABLED_AGENT_LIST rather than specified DOI (authentication realm set to the DOI authentication realm) allow for []-delimited IPv6 addresses as service names concurrently support v10 and pre-v10 logical names (use WASD_.. rather than HTTPD$.. and HT_.. logical names) move WASD process naming schema from "HTTPd:" to "WASD:" (implies the automatic creation of new rights identifiers) use STR_DSC and associated StrDsc..() functions to refine and simplify formatted and buffered output OdsNameOfDirectoryFile() no longer mandatory that a directory file actually exists to generate the name MapUrl_Map()/__Map() now have a REQUEST_PATHSET parameter (to better decouple file-system mapping and path SETing) refine loading and mapping of path SETings add HTTP status filter to WATCH DclSysOutputAst() if WATCHing DCL and non-CGI-compliant response continue to end-of-script bit-bucketing output (DECNET.C code already provides this behaviour) User-defined log format now includes 'CP' client port RequestRedirect() allow a redirect to include its own query string and then concatenate any request query with '&'.. CgiVariable() optimise single-quotation escaping (JPP) GzipShouldDeflate() do not compress Shockwave Flash increase minimum size before compression to 1400 bytes HttpdExit() add explicit traceback for AXP and IA64 (per JPP) WATCH script item (interesting and useful suggestion from Jean-Pierre Petit) callout WATCH:string (see DCL.C) CGI variable WATCH_SCRIPT indicates when script WATCHing SET css= SET put=max= SET put=rfm=[FIX512|STMLF] SET script=agent=as= SET webdav=... (multiple WebDAV related settings) [AuthSYSUAFlogonType] specifies NETWORK, DIALUP, etc. [BufferSizeNetFile] global configuration directive [BufferSizeNetMTU] global configuration directive [HttpTrace] global configuration directive [PutBinaryRFM] global configuration directive [ServiceLogFormat] a per-service user-defined log format [ServiceShareSSH] share with (allow proxy to) SSH [WebDAV...] global configuration directives "webdav:" conditional logical name WASD_NO_SYSUAF_ACME disables SYSUAF via ACME logical name WASD_NO_ACME disables ACME altogether can't believe it but some PHP script paths are exceeding a SCRIPT_NAME_SIZE of 128 - bump to 256! ServiceConfigAdd() use INADDR_ANY if host name lookup fails NetCreateService() use primary if service IP addr reset activity report has some major changes (see version log) AuthorizeResponse() allow agent reason for 403 bugfix; NetWriteStrDsc() flush all full descriptors bugfix; NetWriteGzip() ensure buffer size <= 65535 bugfix; MapUrl__Map() to URL use request ODS not path ODS bugfix; ServiceConfigFromString() create and use temporary service structure when generating report bugfix; FileAcpInfoAst() and CacheAcpInfoAst() byte-range limit negative offset bugfix; OdsNamBlockAst() deliver AST with 'AstParam' (requiring parameter changes to *lots* of AST functions called by use of OdsParse() and OdsSearch() - bugga!) bugfix; AuthVmsChangePassword() ensure that rqAuth.SysUafDataPtr is populated bugfix; MapUrl__Map() proxy 'fall-thru' bugfix; ProxyResponseRebuild() proxy->client compression chunk only for HTTP/1.1 responses and connection persistence header fields reflect non-chunked GZIP stream bugfix; HttpdSupervisor() no-progress use ->BytesRaw.. bugfix; ErrorNoticed() use of 'rqptr' (from 16-NOV-2007) bugfix; NetRead() redact into DataPtr *not* into rqNet.ReadBufferPtr (which works until subsequent read :-) bugfix; DclUpdateScriptNameCache() undo bug from fix of non-existant problem from 12-APR-2008 (talk about it!) bugfix; DclUpdateScriptNameCache() copy determined script invocation method ("@","$","=", etc.) into cache 15-MAR-2008 MGD v9.3.0, RequestReport() per-current, per-connection, per-throttle and per-history CgiGenerateVariables() suppress SCRIPT_NAME if it is an empty script name ("/") RequestGblSecUpdate() include remote user and realm in request monitor data callout REDACT: and REDACT-SIZE: support for request redaction (see DCL.C) NetRead(), RequestRedact(), RequestEnd() redact support callout NOTICED: (and auth agent NOTICED) callout OPCOM: (and auth agent OPCOM) auth agent callout SCRIPT-META DirBegin() only use query string if it begins "httpd=index&" RequestExecutePostCache() check again for RequestHomePage() before final RequestFile() [ServiceProxyAuth] CHAIN AUTH_PATH variable for authentication agents AuthConfigLoadCallBack() do not lower-case path ProxyRequestRebuild() allow "Proxy-Authorization:" header only if configured for CHAIN proxy authentication [SocketSizeRcvBuf] and [SocketSizeSndBuf] HTADMIN and AUTHHTA modules allow for CONNECT method ProxyTunnel..() provide for SSL client connections Server Activity graphing slash-delimitted 'max-requests' that scales the Y axis allowing finer detail display authorization realm agent can now be '=agent+opaque' to suppress the automatic username/password challenge accounting per-request GZIP compress percentage RequestRedirect() include response cookie(s) force ACME on VMS V7.3 and later [AuthSYSUAFuseACME] obsolete bugfix; GraphActivityPlotBegin() X axis scaling for non-integral factors bugfix; GraphActivityReport() uninitialised 'cptr' before use in processing '"form"-based query string' bugfix; AdminMenu() JavaScript doIt() call bugfix; RequestGet() buggy browser kludge (per JPP) bugfix; CONNECT proxy authorization bugfix; AuthCacheGblSecInit() (per JPP) bugfix; ProxyVerifyGblSecInit() (per JPP) bugfix; SesolaCacheGblSecInit() (per JPP) 19-MAY-2007 MGD v9.2.1, RequestGet() now handles extraneous which buggy browsers can incorrectly insert after the body of a valid request (See RFC 2616 section 4.1) ProxyRequestBegin() restrict HTTP methods for FTP scheme ProxyFtpLifeCycle() process HEAD as for GET ProxyResponseRebuild() make request HTTP version a consideration before chunking proxy->client (with JPP) RequestExecutePostAuth1() kludge to allow 'implied' scripts CgiGenerateVariables() provide TRACK_ID if present (for JPP) bugfix; DclBegin() agent runs under default account bugfix; MapUrl_Map() auth agent modifying path SETings bugfix; DirFormatAcpInfoAst() 'S' (size) processing for block totals at the end of a listing bugfix; agent mappings using VMS-USER: not being cached bugfix; GzipDeflateCache() allow for cached CGI header bugfix; CacheNext() don't adjust GZIP content for CGI header bugfix; ConfigLoadCallback() post-process sanity checking for 'NetConcurrentMax' and 'NetConcurrentProcessMax' bugfix; BodyReadBegin() 413 set status before declaring AST bugfix; ProxyRequestRebuild() proxy verify "Authorization:" request header field carriage-control bugfix; ProxyNetConnectPersist() rejects all further requests once ProxyConnectPersistMax has been hit 04-NOV-2006 MGD v9.2.0, significantly enhance WATCH filtering added REG_NEWLINE to REGEX_C_FLAGS so that anchors match newlines in strings to support 'Request' filter in WATCH access logging now supports an HOURLY period remove file name length constraint for access logs created on an ODS-5 volume (allows full host name components, etc.) ProxyTunnelChainConnect() and ProxyTunnelChainConnectAst() to implement raw tunnelling through an intermediate proxy maintenance; there seem to have been some changes in the underlying TCP/IP Services handling of shared sockets so NetAcceptAst() set socket share on client and ... NetClientSocketCcl() to control BG device carriage-control (to parallel the APACHE$SET_CCL.EXE functionality) DclCalloutDefault() add GATEWAY-CCL: callout to allow BG device carriage-control from running script RequestHttpStatusCode() provides more fine-grained HTTP response status code accounting (mainly for WOTSUP) DirFormat() and DirFormatSize() allow in-line layouts to specify size with VMS format listings, as well as adding size specification of 'V' (VMS-ish, in blocks) use PercentOf() and QuadPercentOf() for more accurate and more consistent percentages AdminMenu() status panel (time, connect, request) mods AdminMenu() instance [active][standby] functionality (service item) network connection [Purge][All] activity graph; add request peak data ('network connections' has been masquerading as this) (also see 'CRAZY' note in GraphActivityReport()) for authorization add '+=' to realm default syntax for realm default to be concatenated to any path access /DO=INSTANCE=ACTIVE|STANDBY /DO=NET=PURGE[=ALL]|SUSPEND[=NOW]|RESUME NetPassive() and NetActive() to allow non-supervisor instances to be made quiescent NetSuspend() and NetResume() to allow halt and resume request processing NetPurge() to remove network connections increase AUTH_MAX_PATH_PARAM_LENGTH from 127 to 255 (initially prompted by development of AUTHAGENT_LDAP) add 'ConnectSuspend', 'InstancePassive', 'LastExitTime64', 'LastExitPid' and 'ResponseStatusCodeCount[]' to global section bugfix; LoggingDo() changes for daily period test to support hourly logging (thanks again JPP) bugfix; SsiEnd() propagate included document user variables back into parent document to ensure they remain *global* bugfix; GzipShouldDefault() uninitialized 'cptr' when no content-type would cause WatchThis() "!AZ" to barf if 'cptr' was non-NULL but pointed into an invalid page bugfix; NetAcceptProcess() and NetDirectResponse() should issue 503 for 'too busy', not 502 bugfix; StringMatchAndRegex() regular expression 'MatchType' detection prior to pre-match bugfix; ThrottleReport() column alignment of 'busy' and 'total' percentages in second row of per-path statistics bugfix; NetAccept(), NetAcceptAst(), NetAcceptProcess() nasty problem where multihomed servers 'svptr' confusion (due to the multihome pointer manipulation) could result in an attempted re-queue of an accept on a service that did not correspond to the original accept AST delivery with the result that no accept ended up being queued bugfix; ResponseHeader() and NetWrite() accomodate 304 bugfix; RequestGet() timestamp the event immediately bugfix; AuthConfigLine() propagate 'RealmCanString' by making it static storage (doh) bugfix; MenuFileDescription() status from OdsParse() bugfix; StmLfLog() -E- to -I- for non-status-value call 11-MAY-2006 MGD v9.1.4, 'Proxy affinity' courtesy of Jean-Pierre Petit (esme.fr) (see PROXY.C for an explanation of what all this means) enabled per-service using [ServiceProxyAffinity] or per-path using SET PROXY=[NO]AFFINITY SesolaCacheInit(), in conjunction with AuthConfigInit() noting the presence of any X509 realm, automatically adjusts multi-instance, SSL session cache record size to accomodate potential client certificate SesolaInit() added ICACHE=SIZE= and SSL=ICACHE=RECORD= to allow manual configuration of instance SSL session cache RequestRedirect() "//:port/path" (i.e. begins with "//:") allows a redirect to a different port on the same host increase MapUrl__Map() WildBuffer[] storage to 4096 increase HOST_STORAGE from 236 to 1004 as an interim workaround for SS$_ENDOFFILE when storage insufficient (jpp@esme.fr) - why doesn't it return SS$_RESULTOVF?!! SesolaCacheInit() if boolean 'AuthRealmX509' indicates X509 realm is in use then use a larger session cache record potential bugfix; CgiOutput() CGI_OUTPUT_MODE_CRLF output count should be checked for zero before negative index potential bugfix; when URL-encoded decoding use unsigned char to prevent sign bit issues with the likes of %FC bugfix; non-SSL SesolaCacheInit() should return not bugcheck! bugfix; SSL_shutdown() problem reported by JPP introduce SesolaNetReadAst() and SesolaNetWriteAst() to defer reset of AST function address used to indicate AST-in-progress in other parts of the code bugfix; CgiOutput() empty 'record' in stream mode should be ignored and not have carriage-control adjusted (JFP) bugfix; 'RQ' include method (equivalent of Apache "%r") bugfix; 'EM', 'ES' and 'UE' arithmetic ('doh'!?) bugfix; DECnetWriteRequestBody() suppress empty record on end-of-body for OSU (call DECnetWriteRequestBodyAst()) to prevent it interfering with functionality bugfix; HttpdTimerSet() TIMER_PERSISTENT (jpp@esme.fr) bugfix; RequestFields() allow for header lines with no white-space between field name and value (jpp@esme.fr) 24-NOV-2005 MGD v9.1.3, authorization OPAQUE realm to allow a script to completely generate it's own authentication challenge and processing bugfix; MapUrl__Map() SCRIPT result copy not checking for null resulting in occasional overflow error status bugfix; FileNextBlocks() ensure VARiable record format files have records read on word (even byte) boundaries bugfix; AuthConfigProxyMap() set cache record SYSUAF authentication boolean in tandem with request boolean bugfix; DclSysCommandAst() allow for the queued post-CGIplus script STOP/ID=0 and EOF bugfix; copy sentinals into request storage to prevent them (potentially) being overwritten by an early call to DclScriptProcessCompletionAST() bugfix; ResponseHeader() ensure a charset= supplied with a text content-type (e.g. from a CGI script) is used 15-SEP-2005 MGD v9.1.2, metacon "server-protocol:" as "1.1", "1.0", "0.9" SET proxy=reverse=[no]auth (jpp@esme.fr) AuthAcmeVerifyUser() remote IP address to refine intrusion data and reduce possibility of DOS attack on usernames support multiple IP addresses in host cache (jpp@esme.fr) support proxy to origin server failover (jpp@esme.fr) [ProxyConnectTimeoutSeconds] configures period proxy to origin server connection is attempted (1-60 seconds) add selected request data to ErrorNoticed() report /DO=ZERO=NOTICED to reset 'errors noticed' accounting refine OPTIONS ResponseOptions() to provide "Allow:" bugfix; raw proxy tunnelling requires a contrived connect request in NetRead() to initiate an AST to RequestGet() bugfix; AuthAcmeVerifyUser() ACME$_LOGON_TYPE requires IMPERSONATE (DETACH) privilege for VMS V7.3-1 and earlier bugfix; DECnetOsuDialog() allow CgiOutput() error responses bugfix; initialize TcpIpHostCacheExpireSeconds (jpp@esme.fr) 10-JUL-2005 MGD v9.1.1, [[?]] and service:? to match unknown virtual service OpenSSL v0.9.8 changed macro name EVP_F_EVP_DECRYPTFINAL bugfix; adjust CacheMemoryInUse/CachePermMemoryInUse bugfix; GzipDeflateCache() ambit buffer size calculation too small for small content lengths (just allow heaps!) 26-JUN-2005 MGD v9.1.0, SET throttle=/ per-user throttle SET script=symbol=[no]truncate allow for VMS V8.2 64 byte lksb$b_valblk /DO=DCL=[PURGE|DELETE]=[USER|SCRIPT|FILE]= script processes by username, script name, or file name /DO=NOTE= to provide admin mapping notes /DO=THROTTLE=[TERMINATE|RELEASE]=[USER|SCRIPT]= throttled requests by username or script name AdminMenu() [/DO=] button/field and supporting functionality caching of GZIP compressed content proxy cache GZIP compressed content revised multihoming so that the client specified IP address of a accept()ed connection is used to identify the service (this allows easier isolation of SSL certificates, etc.) metacon 'instance:' to allow testing of WASD instances metacon 'multihome:' to allow detection of mismatched multihomed IP addresses and services metacon 'note:' to allow testing of admin conditional notes metacon 'robin:' to allow round-robin distribution CGI variable SERVER_MULTIHOME present when above true provide PWDMIX mixed-case plus printable char passwords in AuthVmsVerifyPassword() and AuthVmsChangePassword() CgiVariable() allow path mapping script=symbol=truncate to truncate a CLI symbol within the limit of the current VMS version capacity, noting this in SERVER_TRUNCATE variable SesolaInitService() no longer needs to clone modify VM statistics to a max of 1024 pages and granularity of 8 (GZIP significantly increased memory requirements) DclTaskRunDown() proactively handle task after SS$_NONEXPR ProxyMaintSupervisor() return if caching not enabled IA64 TcpIpSetAgentInfo() Multinet uses UCX$IPC_SHR in the image header (TCP/IP Services' TCPIP$IPC_SHR) AuthVmsVerifyUser() WATCH which flag causes failure allow client-side GZIPing of non-GZIPed proxied responses (courtesy Jean-Pierre Petit at jpp@esme.fr) allow config files to be a logical search list (initially to support multiple language HTTPD$MSG files) relax configured file type check if path SETing script=command=<..> provides a full activation command HTTPD$VERIFY can now specify a REMOTE_ADDR IP address allow report path to exclude using negative codes SSI to response header SSI to pre-expire make EXQUOTA (particularly ASTLM) a little more obvious bugfix; remove mutex around spurious wake counter bugfix; MetaConLoad() allocate structure before non-filename return! (revealed by Alex Daniels with no HTTPD$SERVICE) bugfix; prevent expired SYSUAF password from being cached bugfix; ProxyEnd(rqptr) should be ProxyEnd(ktptr) in ProxyNetHostConnectAst() (jpp@esme.fr) bugfix; FileResponseHeader() if none-match entity and IfModifiedSince() logic bugfix; GzipDeflateCache() ambit buffer size caclulation (captr->ContentLength >> 9) now (.. >> 7) (jpp@esme.fr) bugfix; MapOdsUrlToOds2Vms() DECnet access string should be able to support the space required for password bugfix; HTTP_METHOD_.. constants needs to be a bitmap! bugfix; the Ben Burke collection :-) bugfix; SesolaNetClientShutdown() remove SSL_shutdown() (revealed by https: tunnelling shutdown) bugfix; keyword search exclusion on configured file type 04-FEB-2005 MGD v9.0.2, SET script=control=<...> [GzipFlushSeconds] controls GZIPed response flush interval NetWriteGzip() abandon using argument counts to determine AST usage or direct call, use NetWriteGzipAst() instead RequestParseAndExecute() and ProxyRequestBegin() remove explicit disable of POST & PUT connection persistence CgiOutput() if "Location:" is supplied but no HTTP status turn it into a 302 (see also ResponseHeader()) ResponseHeader() include 'rqResponse.LocationPtr' GzipShouldDeflate() disable PDF deflation by default bugfix; aarghh! NetWriteGzip()/NetWriteGzipAst() bugfix; ServiceConfigAdd(), NetHostNameLookup() status check bugfix; ProxyReadResponseAst() if required, chunking needs to be performed after header as well as body processing bugfix; NetWriteChunked() ensure an empty body is terminated with a chunk of zero bugfix; NetWrite() distinguish between "empty" data and end-of-stream (inducing occasional ZLIB buffer errors) bugfix; AuthorizeRealm() check for login cookie before revalidating new cache record credentials (jpp@esme.fr) 22-DEC-2004 MGD v9.0.1, introduce chunked responses where content-length is unknown to enhance connection persistence behaviour SET response=[no]chunked CGI Script-Control: X-transfer-encoding-chunked[=0|1] in Sesola_read() and Sesola_write() remove BIO_set_retry_..() and BIO_clear_retry_..(), bugfix; NetWriteGzip() AST no remaining data length bugfix; Sesola_read_ast() and Sesola_write_ast() zero I/O status block count on error status bugfix; MapOdsVmsToUnix() empty if empty 01-DEC-2004 MGD v9.0.0, HTTP/1.1 compliance persistent connections over SSL persistent proxy connections proxy tunnelling significant changes to proxy cache file processing GZIP transfer-encoding (reponse and request) allow ResponseHiss() kBytes allow throttling with zero requests being processed metacon 'request-method:?' tests for HTTP extension method metacon refined directive and request header field processing request redirect, CGI variable and proxy request field processing refined SET report=tunnel SET response=gzip=<...> SET script=body=[no]decode SET script=syntax=[no]unix [ConnectMax] (supercedes [Busy]) max concurrent connections [EntityTag] enables the generation of file "ETag:", [GzipAccept] accept gzip encoded request bodies [GzipResponse] level[,memory,window] gzip encoded responses [LogWriteFail503] service unavailable 503 response when access log write fails [PipelineRequests] enables pipeline processing [ProcessMax] max concurrent requests being processed [ProxyCacheNegativeSeconds] for non-success responses [ProxyConnectPersistMax] and [ProxyConnectPersistSeconds] for controlling proxy->server connection persistence [ServiceProxyTunnel] connect | firewall | raw [ServiceClientSSLcert] and others allow outgoing SSL config [TimeoutPersistent] supercedes [TimeoutKeepAlive] CGI Script-Control: X-content-encoding-gzip[=0|1] bugfix; FileVariableRecord() memset only if positive bugfix; (authorization) agents should not begin to read a POSTed request body (Jean-Pierre Petit, jpp@esme.fr)) bugfix; CgiOutputFile() missing sizeof(FILE_CONTENT) when VmReallocHeap() increasing buffer space bugfix; AuthReadSimpleList() group member password check 02-OCT-2004 MGD v8.5.3, revalidation periods and '?httpd=logout&goto=...' change from self-relative to absolute links in "Index of" anchor generation (broke usage in some SSI documents) bugfix; MetaconClientConcurrent() if IP address not the same! bugfix; auth=revalidate= is minutes not seconds bugfix; even number of bytes on a disk $QIO READVBLK bugfix; HttpTimerSet() after mapping in case of SET timeout bugfix; ServiceFindVirtual() port string comparison 31-JUL-2004 MGD v8.5.2, bugfix; StringMatchAndRegex() SMATCH__GREEDY_REGEX bugfix; (potential anyway) PutWriteFileClose()/PutEnd() bugfix; TcpIpNetMask() result in AuthRestrictList() bugfix; ProxyFtpPasvData() if PASV response address is 0.0.0.0 then use connect address 30-JUN-2004 MGD v8.5.1, bugfix; HttpdExit() INHIB_MSG test 07-JUN-2004 MGD v8.5.0, IPv6 (concurrent with IPv4) support ACME authentication (realm) [AuthSysUafUseACME] config directive config directives [DNSLookupClient] (formerly [DNSLookup]), [DNSLookupLifeTime] and [DNSLookupRetry] config directive [ProxyHostCachePurgeHours] obsolete SYSUAF user verification now checks pre-expired passwords changes to eliminate RMS from file access and proxy cache (WASD's doing all the content conversion work anyway!) by using ACP/QIOs and massaging record content explicitly (outgrowth of returns from 8.4.3 changes in this area) on-disk structure for each PASS result (ODS-2 or ODS-5) is applied to a path unless otherwise SET with ODS= bugfix; file cache pointer initialization before first call to CacheNext() bugfix; agent script should have non-strict-CGI ignored (stupid problem introduced with script output caching) 04-MAR-2004 MGD v8.4.3, read variable record format files using block IO and then explicitly process those records to produce a stream-LF block of data in their place! (provides in excess of 400% throughput boost!!! :^) set script process default directory before activation set script process parse extended/traditional if path ODS set CGI 'Script-Control: X-content-handler=SSI' field absorb CGI/NPH header during script CGI processing SET ssi=exec= script=default= SSI can now be enabled on a per-path basis using 'ssi=exec=#' SSI #exec (#dcl) directives can be allowed on per-path basis using SET ssi=exec= (e.g. 'ssi=exec=say,show') 'delete-on-close' file specification extended SSI metacon add server_process_gt:, change to client_connect_gt: and server_connect_gt: to better reflect functionality service access log report (last 65kB of an access log) add connect processing and keep-alive accounting items DECC 6.2 objected to '$DESCRIPTOR(name,ptr->string)' bugfix; rare RECTOOBIG on variable record length file where longest record exceeded 'OutputBufferSize' so initialize buffer to maximum of 'OutputBufferSize' or file lrl bugfix; RequestExecute() re-set error by redirect bugfix; ErrorGeneral() always get module name and number bugfix; DclAllocateTask() CGIplus with virtual services bugfix; ProxyFtpListProcessUnix() maximum fields handling 08-JAN-2004 MGD v8.4.1, SET response=header=[no]add[=""] 04-JAN-2004 MGD v8.4.0, compilation and run-time support for IA64 for VMS 7.3-2 and later take advantage of the larger EDCL CLI line (255->4095) and symbol (1024->8192) sizes 'config directory' located authorization databases authorization path keyword 'final' to conclude further rule mapping at that point (as if none matched) rule mapping "set map=root=" allows a set of rules to be rooted to a particular path (CGI document-root) support "Range: bytes=[,..]" request field for non-VAR-record files and cached files provide network mode operation (server and scripts) revise detached process cleanup candidate identification (now requires CMKRNL privilege to use $GRANTID service) modify DCL.C script activation code (allow qualifiers and/or parameters to be supplied from path setting) extensive rework of cache module to allow non-file content (e.g. script) output to be cached [CacheGuardPeriod] configuration directive optional HTTPD$MSG [language] 'charset=' parameter HTA database now "read [record] regardless of lock" SET cache=[no]cgi, cache=expires=, cache=[no]file, cache=[no]net, cache=maxkbytes=, cache=[no]nph, cache=[no]script, cache=[no]ssi, map=root=, map=set=[no]ignore, map=set=[no]request, proxy=reverse=location=, proxy=reverse=verify, response=header=[append|full|none], script=command= reverse-proxy 302 "Location: ..." response can have the location URL rewritten to reflect the original host reverse-proxy can be locally authorized and then have that verified by the proxied-to server (UMA) metacon "document-root:" ('DR') reflects "set map=root=" add "client_current_gt:" and "server_current_gt:" /PERSONA=IDENT= is now available for PERSONA_MACRO mapping now URL-encodes a redirect wildcard path portions rework some report item format and content check Digest authentication against Mozilla 1.4 only check SYSUAF secondary password expiry date/time if the secondary password hash is not empty bugfix; error report by redirect, set after virtual host bugfix; GraphActivityPlotBegin() and GraphActivityDataScan() signed/unsigned issue masking out request value bugfix; chained proxy CONNECT processing bugfix; keep track of outstanding body reads bugfix; according to the doco "Index of"s from SSI should not be delimited top or bottom (up to SSI to caption it!) bugfix; DclScriptProcessPurge() 12-OCT-2003 MGD v8.3.2, bugfix; DECnet allow for outstanding network writes bugfix; "internal" script detection bugfix; MetaConLoad() [IncludeFile] bugfix; ProxyRequestRebuild() rebuild buffer space bugfix; suppress output after "Script-Control: x-error..." bugfix; keyword search exclude file type bugfix; notepad needs to be explicitly NULLed bugfix; MAP-FILE: stripping leading character bugfix; DECnet allow for outstanding body reads 15-AUG-2003 MGD v8.3.1, allow the database directory location to be specified using authorization rule 'param="/directory=device:[directory]"' allow for and keep track of $HIBER spurious wakes massage SYSUAF-authenticated remote username to comply with VMS requirements suppress digest auth challenge except for HTA and external where CDATA constraints make using entity impossible use a field name of hidden$lf and ^ substituted with the BODY.C module doing some sleight-of-hand with it (modern browsers like Mozilla were having issues) BODY_DISCARD_CHUNK_COUNT made *very* large bugfix; ServiceConfigReviseNow() form element names must be unique (technically correct, enforced by modern browsers) bugfix; AuthCacheAddRecord() bugfix; check for NULL pointer 'cnptr->ReuseConnection' bugfix; DECnetCgiDialog() not strict wait for EOF sentinal bugfix; do not allow SET mapping during a callout bugfix; use _BBCCI() to clear the mutex in InstanceExit()!! bugfix; SesolaCacheAddRecord() oldest tick second 28-JUN-2003 MGD v8.3.0, regular expression support [AuthFailurePeriod], [AuthFailureTimeout], [ProxyUnknownRequestFields], [RegEx] directives SET cache=[no]perm, cache=max= SET notepad= and if (notepad:) metacon "notepad:", "regex:", "request:" ('RQ'), "restart:" [Match] Server Admin item, report, and WATCH item file cache support for permanent and volatile entries improve efficiency RequestRedirect() & ProxyRequestRebuild() store and provide unrecognised request header fields rework break-in detection and processing (configuration defaults to LGI sysgen parameters and now operates in the same way as described for general VMS) /SYSUAF=(VMS,ID) allows concurrent VMS and ID authorization add proxy cache device error count statistics home pages may now be [Welcome]+[DclScriptRunTime] specified (i.e. provided via scripting environments such as PHP) request heap statistics and VmRequestTune() bugfix; add HTTP protocol to combined/common format URL bugfix; request body to be read needs to be the smaller of remaining body or buffer size (jpp@esme.fr) bugfix; InstanceMutex..() use _BBCCI() to clear the mutex bugfix; FILE.C FileSetCharset() following CacheSearch() moved to CACHE.C module (ACCVIO if entry NULLed) bugfix; ProxyMaintDeviceStats() volume count (set) handling bugfix; ServiceConfigFromString() (jpp@esme.fr) bugfix; DirFormatLayout() static flags (jpp@esme.fr) bugfix; request SET Html.. memory allocation (jpp@esme.fr) bugfix; MetaConParse() decrement index (back) when not currently executing an if()inline directive bugfix; (and refine) DECnetSupervisor() bugfix; DclSysOutputAst() do not rundown script process if the error generated came from "Script-Control:" bugfix; CGI(plus) allow for '!' from (!$blah) mapping rule 09-APR-2003 MGD v8.2.0, some minor logging format changes for server entries wildcard and comma-separated list of languages can be specified (e.g. "[Language] es-ES,es,es-*") [ProxyForwarded] supercedes [ProxyAddForwardedBy] with proxy=forwarded[=...] mapping rule [ProxyXForwardedFor] configuration directive with proxy=xforwardedfor[=...] mapping rule to support proxy generation of "X-Forwarded-For:" header field authentication agent '100 REASON any text' script=as=$? to indicate optional use of SYSUAF username SET dir=style[=default|original|anchor|htdir], SET html=[bodytag|header|headertag|footer|footertag]=[..] and incorporation in "Index of", selected other facilities SET cgiplusin=[none|cr|lf|crlf], SET cgiplusin=eof, SET script=query=none, SET script=path=find, SET [no]search=none disable 'NetMultiHomedHost' (should not be required for modern virtual service processing) script=params=+(name=value) concatenates to any existing HTAdminPasswordChange() check for VMS group write processes created using HttpdDetachServerProcess() now have a YYYYMMDDHHMMSS timestamp as part of the process log name with RTEs look first for one that was executing the same script, then if not found fall back to (any) LRU RTE SYSUAF security profile via rule and /PROFILE=BYRULE script as SYSUAF username can be requested with auth rule allow [[service]] to include the [[scheme://service]] relax ServiceParse() so that [[the.host.name]] is accepted enable SYSPRV in HTAdminDatabaseSearch() relax initial CGI response line checking build 'records' from script single byte output streams general (non-RTE) run-time allowed with (!..) syntax both run-time specifications allowed with SCRIPT rule added GATEWAY_EOF/EOT/ESC CGI variables sentinals changed to have only RMS-compliant characters supply more detail from "%DCL-E-OPENIN, blah" responses SesolaParseCertDn() record /email and /emailAddress bugfix; Alpha VMS V7.1 or earlier sys$persona_assume() needs to be used in the same way as for VAX bugfix; RequestRedirect() append remain CGI response header bugfix; body provision for script processing restart bugfix; proxy FTP ResponseHeader() content-length of zero bugfix; StringParseQuery() loop on string overflow bugfix; HTAdminPasswordChange() cache reset realm bugfix; error recovery in Sesola_read() and Sesola_write() bugfix; DECnetFindCgiScript() foreign verb creation 10-JAN-2003 MGD v8.1.1, SET script=query=relaxed AuthVmsLoadIdentifiers() more flexible bugfix; ControlEnqueueCommand() occasional race condition 07-DEC-2002 MGD v8.1.0, SET auth=all (path must be subject to authorization or fail) CGI 'Control-Script:' X-error-... fields add 'mp' mapping and 'mapped-path:' metacon conditionals add 'rc' mapping and 'redirected:' metacon conditionals add 'st' mapping and 'script-name:' metacon conditionals add "path-translated:" metacon conditional skeleton-key authentication refine mapping rule processing to ensure that paths with forbidden syntax generate RMS bad syntax check for device and directory (minimum) before parse refine metacon reporting (reporting detected errors to OPCOM) the server now detects the presence of HTTP$NOBODY account and scripts using that if the server is using HTTP$NOBODY or /script=as= DECnet scripting now uses the same account refine VMS security profile usage (no, just coincidence!) to allow VMS profile authorized requests to override directory listing controls (amongst other things) server process log is now accessable via the Admin Menu additional mapping functionality (SET query-string=) no sneaky getting directory contents by downloading files! CGI.C in non-strict CGI mode report anything like "%DCL-E-OPENIN, blah" as a failed script activation PUT.C allow for white-space in multipart file names bugfix; in OdsNameOfDirectoryFile() use SYSPRV around sys$parse() to ensure access to directory bugfix; set path dir=access not ignored 25-SEP-2002 MGD v8.0.1 additional persona counters /script=as= allows a NOBODY scripting environment without enabling PERSONA in general require account SYSPRV for certain command-line activities implement /persona=[authorized|relaxed|relaxed=authorized] to prevent inadvertant scripting using privileged accounts HttpdDetachServerProcess() [STARTUP]STARTUP_SERVER.COM MapOdsElementsToVms() excise parent directory syntax only use MapUrl_VmsUserName() path ODS if not already set SET report=4nn=nnn for mapping HTTP status SET map=ellipsis now required to map VMS '...' wildcard SET dir=charset= directory listing charset mapping rule support 'script=as=' functionality, plus DECnet variants NODE"$":: substitutes SYSUAF authenticated username into access string (for proxy access to account) and NODE"~":: substitutes '/~username/' username in same way set path en/decoding for RSI (MultiNet NFS), PATHWORKS (v4), Advanced Server (PATHWORKS v6) / Samba file naming schemas (as well as for ODS-2 and ODS-5) AuthVmsCheckUserAccess() traps SS$_NOCALLPRIV returning SS$_NOPRIV to allow directory listings of DFS volumes introduce fab$b_rfm and fab$b_rat as fields to allow PUT.C to specifically set these attributes as required refine SesolaReport() for obtaining service ciphers (OpenSSLv0.9.6f/0.9.7-beta break it) local redirection should have the path re-URL-encoded FAO change function of "!&U" to "!&P", new "!&U" enhance authentication and SSL global section creation allow for 'pass /* 400' (i.e. no trailing message) RFC1413 authorization with DNS lookup use host name to construct remote user string rework path alert notification for greater functionality bugfix; make ServiceConfigLoad() file not found non fatal bugfix; ConfigIconFor() terminate on content-type bugfix; if restart MIME boundary matching algorithm using that char (allow for --..boundary) bugfix; 'Xray' broken in v8, repaired and reworked bugfix; always revalidate X509 and RFC1413 (for path authorization after script) bugfix; 'script' and 'exec' MetaConParseReset() state bugfix; set AuthCacheRecordSize from HTTPD$CONFIG value bugfix; when discarding via BodyReadBegin() use BodyRead() to queue a network read only if data is outstanding bugfix; template/result wildcard checking for scripting rules bugfix; do not count callout records for CGI header purposes 03-JUL-2002 MGD v8.0.0 "instance" capability (loosely coupled, multiple socket/service-sharing servers on the one system) meta-config (integrated config, mapping, service, auth), provide "module WATCHing" for on-line, ad hoc debug SET script=params=(name=value), proxy=bind=
and proxy=chain= mapping rules asynchronous block processing of POST and PUT request body some accomodations for Mozilla-HTTP/1.1 "Cache-Control:" improve performance with EFN$C_ENF and use explicitly allocated event flags for avoiding potential interactions client host name lookup now asynchronous FTP proxying processing /DEMO demonstration mode 29-JUN-2002 MGD v7.2.3 some accomodations for Mozilla-HTTP/1.1 "Cache-Control:" bugfix; [ProxyCacheNoReloadSeconds] parsing bugfix; (well sort of) it would appear that after NO_CONCEAL searching and a sys$open() must sys$close() *before* the SYNCHCK sys$parse() release resources otherwise a channel bugfix; ensure when OdsParse() is used successively with the same ODS structure that previous resources are first released (can present a problem unique to search lists) to the device is left assigned!! bugfix; ensure sys$search() RMS channel is released bugfix; ProxyResolveHostCache() NULL 'rqptr' bugfix; account/password expiry bugfix; DclFindFileEnd() reset result file name bugfix; SsiAccessesClose() now synchronous using SYSPRV 13-APR-2002 MGD v7.2.2 Authorize() allow /NO401 parameter to suppress server challenge to allow external agent to response (e.g. PHP) ProxyHostConnectAst() invalidate host cache entry NetCreateService() checks previously bound address MapOdsUrlToVms() eliminate chance of device:[.directory] make a proxy reactive purge initially more agressive keep-alive decision logic to RequestFields() bugfix; ensure only one request revalidates a cache entry at a time (multiple could cause eventual channel exhaustion) bugfix; switch return not break with next reactive scan bugfix; AuthConfigProxyMap() wildcard string results bugfix; ODS-5 parent directories with multiple periods bugfix; command-line proxy cache maintenance reporting bugfix; FileNextRecordAst() VAR file into contents buffer bugfix; MAPURL.C throttle report bugfix; AuthCacheAddRecord() and host group without "host=" bugfix; reset SSL state to SSL_ST_OK if renegotiation fails bugfix; DclTaskRunDown() reset script task type bugfix; MsgFor() Accept-Lang: comparison bugfix; NetAcceptAst() deassign channel when connect dropped bugfix; wildcard substitution in MapUrl__Map() bugfix; StringMatch() wildcard matching bugfix; close log file for ALL services in LOGGING.C bugfix; !&M formatting directive in PROXYCACHE.C bugfix; /RELAXED should allow all but DISUSERed accounts to authenticate regardless of RESTRICTED or CAPTIVE flags 03-NOV-2001 MGD v7.2.1 PERSONA.C using PERSONA.MAR can now provide persona scripting for pre-VMS 6.2 VAX systems (CAUTION!! - UNSUPPORTED) "TASK=CGI..", "0=CGI.." recognised as DECnet CGI dialog FAB$M_TEF to deallocate unused log file space StringMatch() replaces SearchTextString() for more light-weight text matching (affects six modules) [SsiSizeMax] and [ProxyCacheNoReloadSeconds] FILE.C block I/O complete if _rsz is less than _usz 'ProxyCacheNoReloadSeconds' limits immediate (pragma) reload ensure mapping conditional not mistaken for missing template kludge work around spawning authorized privs with $CREPRC bugfix; ensure only one request revalidates a cache entry at a time (multiple could cause eventual channel exhaustion) bugfix; close current log file if period changes bugfix; DECnet user script mapping bugfix; FileNextBlocksAst() 'ContentRemaining' bugfix; wildcard substitution in MapUrl__Map() bugfix; sys$close() in OdsLoadTextFile() bugfix; always generate callout sequences bugfix; a bugfix in VMS V7.2 has broken the previously working usage of IO$_MODIFY in ProxyCacheSetLastAccessed() bugfix; activity graphic bugfix; check ParseQueryField() in WatchBegin() for NULL bugfix; allow agent to provide 'CGIPLUS:' directive bugfix; 'layout=U' upper-casing 01-JUL-2001 MGD v7.2.0 X.509 authentication and authorization RFC1413 (identfication protocol) authorization remote user to vms user (SYSUAF authorization) proxy mapping proxy cache maintainence may now be done from the CLI HTL list maintenance can now be done from the Admin Menu a fatal authorization problem now disables authorization "hh:mm:ss" allows for a more versatile period concurrent processing controls (request "throttling") improved script process run-down conditions and handling HttpdTick() drives XxxSupervisor()s control (/DO= and Admin menu) now via a global section monitor (HTTPDMON) data now supplied via a global section suppress CGI content-type "x-internal..." [IncludeFile] for all configuration files request supervisor refinements .URL file processing 01-JUL-2001 MGD v7.1.2 add selective status codes to error report path refine 'view' and 'list' redirection in UPD.C refine logging RMS characteristics (500% improvement) provide for ODS-5 "hidden" files ('^.') check network status during SSL accept EXEC of file type remove http: check from SesolaAccept() bugfix; parsing of [ServiceProxyChain] bugfix; 'RU' conditional bugfix; SCRIPT_FILENAME with CGIplus bugfix; NetThisVirtualService() and call conditions bugfix; SesolaFree() BioPtr bugfix; AuthVmsCheckUserAccess() return SS$_NOPRIV bugfix; ParseNetMask() and VSLM mask processing bugfix; sys$create_user_profile() length size from word (System Services Manual) to unsigned int (startlet.h)! bugfix; authorization network masks bugfix; directory specfication length (sys$check_access()) bugfix; HTAdminPasswordChange() call to FaoToOpcom() bugfix; AuthGenerateHashPassword() force upper-case bugfix; final status at write group/no read group check 18-JAN-2001 MGD v7.1.1 HTTPD$SCRATCH automatic script scratch file cleanup authentication agent can now '100 SET-COOKIE rfc2109-cookie' bugfix; memory leak in AUTH.C bugfix; FILE.C make a search list DNF appear as a FNF bugfix; /PROFILE empty directory passing incorrect parameter bugfix; general error reporter variable arguments bugfix; final authorization failure should specify 403 bugfix; ensure mapping rules exist for authentication agents bugfix; control cache purge arguments 17-OCT-2000 MGD v7.1.0 sys$creprc() scripting sys$persona...() scripting Run Time Environments (RTEs) server-group/cluster-wide directives (via DLM) further refined CGI.C module output handling apply authorization to SSI.C #include'd and #dir'e client socket (BGnnnn:) potentially sharable for scripts proxy cache device directory organization flat256/64x64 modify SSL initialization to better indicate "fallback" integration of WATCH peek/one-shot 03-SEP-2000 MGD v7.0.2 limit script output of ENDOFFILE if CGI response "Content-Encoding:" force stream mode bugfix; ProxyResolveHostLookup() can be called multiple during host name resolution - only allocate channel once!! bugfix; include Accept-Encoding when redirecting bugfix; ParseQueryField() string length check 09-JUL-2000 MGD v7.0.1 locking around proxy cache scans add "success=" 303 processing to PUT.C file upload improve CgiOutput() header processing (again!) correct concealed/searchlist parsing allow "302 location" redirection from authentication agent bugfix; proxy CONNECT service bugfix; HEAD requests specifying content-length bugfix; WatchCliSettings() storage 01-JUN-2000 MGD v7.0.0 support extended file specifications (ODS-5 under Alpha VMS V7.2ff) event reporting via OPCOM some "Apache" support for easing CGI script ports access log file naming refinements 18-MAR-2000 MGD v6.1.3 bugfix; authconfig processing 06-JAN-2000 MGD v6.1.2 authorization failure limit evasion period numerous warnings from DECC v6.2 addressed bugfix; user restriction list pass (broken in 6.1) 17-DEC-1999 MGD v6.1.1 bugfix; quote double-up in CgiVariable() (INSVIRMEM exit) 04-DEC-1999 MGD v6.1.0 "agent" authentication/authorization CGI(plus) processing provides callouts SSI module now supports OSU-specific directives /SYSPRV now allows operation with SYSPRV turned on "one-shot" WATCH and "peek" reports output no-progress timer remove NETLIB support 16-OCT-1999 MGD v6.0.3 bugfix; sys$create_user_profile bugfix; mapping storage overflow USER mapping rule for SYSUAF access 12-SEP-1999 MGD v6.0.2 minor changes to authorization processing bugfix; service parsing and SSL virtual services now match using "Host:" field 19-JUN-1999 MGD v6.0.1 refinements to request termination/rundown bugfix; DECnet (CGI and OSU) task handling bugfix; proxy request HTTP/0.9 response processing 30-MAY-1999 MGD v6.0.0 proxy, with HTTP caching OpenSSL 0.9.3 support (also SSLeay support) extended authorization/authentication environment 31-MAR-1999 MGD v5.3.4 bugfix; SesolaReport(), HttpHeaderChallenge() 28-MAR-1999 MGD v5.3.3 SSI variables global (when "#include"ing other SSI) SSI read buffer determined by 'FileXabFhc.xab$w_lrl' 05-FEB-1999 MGD v5.3.2 bugfix; FileNextRecord() zero '_usz' 10-JAN-1999 MGD v5.3.1 greater granularity when WATCHing authorization bugfix; OSU scripting pass *mapped* file spec 14-NOV-1998 MGD v5.3.0 [[host:port]] virtual service syntax [AddType] can now "text/html; charset=ISO-8859-1" [CharsetDefault] sets text and server character set improved AST granularity several significant modules WATCH report and CLI RMS-invalid substitution character in mapping rules bugfix; NameOfDirectoryFile() 29-AUG-1998 MGD v5.2.0 reuse DECnet task connections allow specified hosts exclusion from logging stream-LF conversion only on specified paths bugfix; SYS$TIMEZONE_DIFFERENTIAL processing bugfix; DECnet tasks not aborted at timeout 07-JUL-1998 MGD v5.1.0 add eXtended Server Side Includes processing design-problem; modify CGIplus script rundown SYSUAF authentication by identifier per-service logging rqptr->rqTmr.Terminated (occasional lib$get_vm() %LIB-F-BADLOADR around connection expiry termination) 20-DEC-1997 MGD v5.0.0 optional Secure Sockets Layer (using SSLeay) DECnet-based scripting including OSU emulation miscellaneous revisions and "improvements" 07-JAN-1997 MGD v4.5.2 bugfix; record-mode file transfer bugfix; activity graph 06-DEC-1997 MGD v4.5.1 resolving a suspected inconsistent AST delivery situation by requiring all $QIO()s with AST routines to ensure any queueing errors etc. are reported via the AST routine by an explicit $DCLAST() ... this removes ambiguity about how $QIO() returns should be handled ... drastic but desperate times, etc. (a more consistent and desirable model anyway :^) 02-NOV-1997 MGD v4.5.0 file cache logging periods HttpdSupervisor() configurable script run-time environments additional request header fields 18-OCT-1997 MGD v4.4.1 bugfix; duration bugfix; logging period 01-OCT-1997 MGD v4.4.0 message module conditional rule mapping SYSUAF-authenticated user access control multi-homed/multi-port services (some NETLIB packages now cannot DNS lookup) echo and Xray internal scripts extensions to logging functionality additional command-line server control bugfix; redirection loop detection 01-AUG-1997 MGD v4.3.0 MadGoat NETLIB broadens TCP/IP package support server activity report 16-JUL-1997 MGD v4.2.2 bugfix; WORLD realm and access list 07-JUL-1997 MGD v4.2.1 minimum heap allocation chunk size prevent keep-alive timeout redefining request logical 01-JUL-1997 MGD v4.2.0 change name to WASD (Wide Area Surveillance Division) persistent DCL subprocesses and CGIplus (see re-written DCL.C module) scripting and client reports potential multi-thread problems in reports fixed 27-MAR-1997 MGD v4.1.0 rationalized HTTP response header generation delete on close for "temporary" files to support UPD module "preview" functionality ... WARNING, any file with a name comprising a leading hyphen sixteen digits and a trailing hyphen will be deleted! 01-FEB-1997 MGD v4.0.0 HTTPd version 4 01-OCT-1996 MGD v3.4.0 extended server reporting 01-AUG-1996 MGD v3.3.0 realm/path-based authorization BASIC and DIGEST authentication PUT(/POST/DELETE) module StmLf module (variable to stream-LF file conversion) 12-APR-1996 MGD v3.2.0 file record/binary now determined by record format persistent connections ("Keep-Alive" within HTTP/1.0) moved RMS parse structures into thread data improved local redirection detection observed Multinet disconnection/zero-byte behaviour (request now aborts if network read returns zero bytes) 15-FEB-1996 MGD v3.1.1 fixed rediculous :^( bug in 302 HTTP header minor changes to request accounting and server report minor changes for user directory support minor changes to error reporting 03-JAN-1996 MGD v3.1.0 support for both DEC TCP/IP Services and TGV MultiNet 01-DEC-1995 MGD v3.0.0 single heap for each thread's dynamic memory management extensive rework of DCL subprocess functionality HTML pre-processsing module (aka Server Side Includes) NCSA/CERN compliant image-mapping module NetWriteBuffered() for improving network IO miscellaneous reworks/rewrites 27-SEP-1995 MGD v2.3.0 carriage-control on non-header records from to single ('\n' ... newline), some browsers expect only this (e.g. Netscape 1.n was spitting on X-bitmaps) added Greenwich Mean Time time-stamp functionality added 'Referer:', 'If-Modified-Since:', 'User-Agent:' 07-AUG-1995 MGD v2.2.2 optionally include commented VMS file specifications in HTML documents and VMS-style directory listings 16-JUN-1995 MGD v2.2.1 added file type description to "Index of" (directory) 24-MAY-1995 MGD v2.2.0 minor changes to allow compilation on AXP platform 03-APR-1995 MGD v2.1.0 add SYSUAF authentication, POST method handling 20-DEC-1994 MGD v2.0.0 multi-threaded version 20-JUN-1994 MGD v1.0.0 single-threaded version */ /*****************************************************************************/ #ifndef VERSION_H_LOADED #define VERSION_H_LOADED 1 /* five characters or less */ #define HTTPD_NAME "WASD" #define HTTPD_SOFTWAREID_NAME "HTTPd-WASD" /* keep HTTPD_GBLSEC_VERSION in step with this version (as necessary) */ #define HTTPD_VERSION "12.3.0" /* used to name and to detect changes in global section data structures */ #define ACTIVITY_GBLSEC_VERSION_NUMBER 0x120000 /* i.e. 12.00.00 */ #define AUTH_GBLSEC_VERSION_NUMBER 0x120000 #define AUTH_TOKEN_GBLSEC_VERSION_NUMBER 0x120000 #define HTTPD_GBLSEC_VERSION_NUMBER 0x120000 #define SESOLA_GBLSEC_VERSION_NUMBER 0x120000 #define PROXYVERIFY_GBLSEC_VERSION_NUMBER 0x120000 /* used as part of the the "instance" lock names, allowed range 1..15 */ #define HTTPD_LOCK_VERSION 1 VersionInfo(); #endif /* VERSION_H_LOADED */ /*****************************************************************************/