|1Service Configuration|| |^ By default, the logical name |*WASD_CONFIG_SERVICE| locates a common service configuration file. The service configuration file is mandatory. |^ WASD |/services| are also known as |/virtual servers| or |/virtual hosts| and can provide multiple, autonomous sites from the one HTTP server. Services can each have an independent IP address or multiple virtual sites share a single or set of multiple IP addresses. Whichever the case, the host name entered into the browser URL must able to be resolved to the IP address of an interface configured on the HTTP server system. There is no design limit to the number of services that WASD can support. It can listen on any number of IP ports and for any number of virtual services for any given port. |^ The server must be able to resolve its own host name/address. It is not unknown for completely new systems to have TCP/IP configuration overlooked. The server must also be able to resolve the IP addresses of any configured virtual services (|link|Virtual Services||). Failure to do so will result in the service not being configured. To avoid startup issues in the absence of a usable DNS it is suggested that for fundamental, business-critical or otherwise important services, static entries be provided in the system TCP/IP agent's local database. |^ Changes to the service configuration file can be validated at the command-line before restart. This detects and reports any syntactical and fatal configuration errors but of course cannot check the |/intent| of the rules. |code| $ HTTPD /DO=SERVICE=CHECK |!code| |2Specific Services| |^ In common with other configuration files, directives associated with a specific virtual services are introduced using a double-bracket delimited host specification (|link|Virtual Services||). When configuring a service the following three components specify the essential characteristics. |bullet| |item| |*scheme |-| | HTTP scheme (sometimes refered to as |/protocol||). If |/http:| (or omitted) it is a standard HTTP service. If |/https:| an SSL service is configured. |item| |*host |-| | Host name or dotted-decimal address. If omitted, or specified as an asterisk ("*"), defaults to the system's IP host name. |item| |*port |-| | IP port the service is offered on. If omitted it defaults to 80 for an |/http:| service, and to 443 for an |/https:| (SSL) service. |!bullet| |^ These WASD_CONFIG_SERVICE examples illustrate the directive. |code| [[http://alpha.example.com:80]] [[http://alpha.example.com:8080]] |!code| |2Generic Services| |^ A |/generic| service is one that specifies a scheme and/or port but no specific host name. This is useful in a cluster where multiple systems all provide a basic service (e.g. a port 80 service). If the host name is omitted or specified as an asterisk the service substitutes the system's IP host name. |code| [[http://*:80]] [[http://*:8080]] |!code| |2SSL Services| |^ See |link%|../features/##Transport Layer Security| of |link%|../features/##|WASD Features and Facilities||. |^ Multiple virtual SSL services (https:) sharing the same certificate can essentially be configured against any host name (unique IP address or alias) and/or port in the same way as standard services (http:). Services requiring unique certificates can only be configured for the same port number against individual and unique IP addresses (i.e. not against aliases). This is not a WASD restriction, it applies to all servers for significant SSL technical reasons. |^ For example, unique certificates for https://www.company1.com:443/ and https://www.company2.com:443/ can be configured only if COMPANY1 and COMPANY2 have unique IP addresses. If COMPANY2 is an alias for COMPANY1 they must share the same certificate. During startup service configuration the server checks for such conditions and issues a warning about "sharing" the service with the first configured. |code| [[https://alpha.example.com]] [[https://*:443]] |!code| |2Administration Services| |^ When multiple instances are configured Server Administration page access, in common with all request processing, is automatically shared between those instances. There are occasions when consistent access to a single instance is desirable. The [ServiceAdmin] directive indicates that the service port number should be used as a |_base| port and all instances create their own service with unique port for access to that instance alone. The first instance to create an |/administration service| uses the specified port, or the next successive if it's already in use, the next instance will use the next available port number, and so on. A high port number should be specified. The Server Administration page lists these services for all server instances in the cluster. This port configuration is not intended for general request activity, although with appropriate mapping and other configuration there is nothing specifically precluding the use (remembering that the actual port in use by any particular instance may vary across restarts). In all other respects the services can (and should) be mapped, authorized and otherwise configured as any other. |code| [[https://alpha.example.com]] [ServiceAdmin] enabled |!code| |2IPv4 and IPv6| |^ Both IP version 4 and 6 are concurrently supported by WASD. All networking functionality, service creation, SSL, proxy HTTP, proxy FTP and RFC1413 authorization is IPv6 enabled. If system TCP/IP services do not support IPv6 the expected error would be |code| %SYSTEM-F-PROTOCOL, network protocol error |!code| during any attempted IPv6 service creation. Of course IPv4 service creation would continue as usual. |^ Server configuration handles the standard dotted-decimal addresses of IPv4, as well as "normal" and "compressed" forms of standard IPv6 literal addresses, and a (somewhat) standard variation of these that substitutes hyphens for the colons in these addresses to allow the colon-delimited port component of a "URL" to be resolved. Alteratively, use the de facto standard method of enclosing the IPv6 address within square brackets, followed by any port component. |0IPv6 Literal Addresses| |table| |~_ |: Normal|: Compressed |~ |~ |. 1070:0:0:0:0:800:200C:417B |. 1070::800:200C:417B |~ |. 0:0:0:0:0:0:13.1.68.3 |. ::13.1.68.3 |~ |. 0:0:0:0:0:FFFF:129.144.52.38 |. ::FFFF:129.144.52.38 |~_ |: hyphen-variants|: |~ |~ |. 1070-0-0-0-0-800-200C-417B |. 1070--800-200C-417B |~ |. 0-0-0-0-0-0-13.1.68.3 |. --13.1.68.3 |~ |. 0-0-0-0-0-FFFF-129.144.52.38 |. --FFFF-129.144.52.38 |!table| |^ In common with all virtual services, if a connection can be established with the system and service port the server can respond to that request. The first example binds a service to accept IPv4 connections for any address, while the second the same for IPv6 (and for IPv4 if the interface has IPv4 configuration). |code| [[https://alpha.example.com:80]] [ServiceBind] 0.0.0.0 [[https://alpha6.example.com:80]] [ServiceBind] ::0 |!code| |^ If a service needs to be bound to a specific IP address then that can be specified using the [ServiceBind] directive using any of the literal address formats described above. |code| [[http://alpha.example.com:80]] [ServiceBind] 168.192.0.3 [[https://alpha6.example.com:80]] [ServiceBind] fe80::200:f8ff:fe24:1a22 [[https://[fe80::200:f8ff:fe24:1a22]:80]] |!code| |0IPv6 Name Resolution|| |^ TCP/IP Services for OpenVMS |/does not| provide an asynchronous name resolution ACP call for IPv6 as it does for IPv4. This means that dynamic name resolution in IPv6 environments is (currently) an issue. See the server code module [SRC.HTTPD]TCPIP6.C for further detail and workarounds. Let's hope this significant deficiency in VMS' IPv6 support is addressed sooner than later! |2To www. Or Not To www.| |^ In the twenty-first century the |/www.| prefix to Web services is largely redundant. Generally |/www.host.name| and |/host.name| are treated as synonymous. WASD conditionals often need to distinguish precisely on the service name and in some cases this can mean a service for the |/www.host.name| and the |/host.name||. |^ The WASD global configuration directive | |code| # WASD_CONFIG_GLOBAL [WWWimplied] enabled |!code| | (by default, and for backward-compatibility reasons, disabled) results in the server matching a request specifying a leading |/www.| matching a virtual service identical |_except| for the |/www.||. So for the configured service. | |code| [[http://the.host.name]] |!code| | a request to http://the.host.name/ (request header "Host: the.host.name") or to http://www.the.host.name/ (request header "Host: www.the.host.name") will be matched to it and allow conditionals, etc., to match to the one "the.host.name". |2Service Directives| |^ Where a service directive has an equivalent configuration directive (e.g. error report path) the service directive takes precedence. This allows specific virtual services to selectively override the generic configuration. |table&margin-top:-1em;| |~ |. |0_Service Directives| |~#* |. [[virtual-service]] |. scheme://host:port |~ |. [ServiceAdmin] |. an |/instance| Server Administration page service |~ |. [ServiceBind] |. if different to host's |~ |. [ServiceBodyTag] |. tag for server reports., etc |~ |. [ServiceClientSSLcert] |. proxy SSL connect client certificate file |~ |. [ServiceClientSSLkey] |. proxy SSL connect client private key file |~ |. [ServiceClientSSLcipherList] |. proxy SSL connect ciphers |~ |. [ServiceClientSSLverifyCA] |. verify CA of proxied requests |~ |. [ServiceClientSSLverifyCAfile] |. location of proxy CA file |~ |. [ServiceClientSSLversion] |. proxy SSL version to use |~ |. [ServiceConnect] |. respond to a connection on a port |~ |. [ServiceErrorReportPath] |. path to script, SSI or "flat" error document |~ |. [ServiceHttp2Protocol] |. per-service HTTP/2 disabled |~ |. [ServiceLogFormat] |. per-service access log format |~ |. [ServiceNoLog] |. suppress logging |~ |. [ServiceNonSSLRedirect] |. redirect non-SSL on SSL service |~ |. [ServiceProxy] |. proxy service |~ |. [ServiceProxyAffinity] |. make origin server "sticky" |~ |. [ServiceProxyAuth] |. require proxy authorization |~ |. [ServiceProxyCache] |. proxy caching |~ |. [ServiceProxyChain] |. chained proxy service host |~ |. [ServiceProxyChainCred] |. up-stream proxy service access credentials |~ |. [ServiceProxySSL] |. provide proxy of SSL (connect:) |~ |. [ServiceProxyTunnel] |. enable tunneling of octets |~ |. [ServiceRawSocket] |. enable "RawSocket" scripting |~ |. [ServiceShareSSH] |. share service with SSH |~ |. [ServiceSSLcert] |. SSL service certificate |~ |. [ServiceSSLcipherList] |. enabled/disabled <= TLSv2.0 ciphers |~ |. [ServiceSSLcipherSuites] |. enabled/disabled >= TLSv3.0 ciphers |~ |. [ServiceSSLkey] |. SSL service private key |~ |. [ServiceSSLoptions] |. SSL options |~ |. [ServiceSSLsessionLifetime] |. SSL session lifetime |~ |. [ServiceSSLstrictTransSec] |. HSTS maxiumum age in seconds |~ |. [ServiceSSLverifyPeer] |. access only using verified peer certificate |~ |. [ServiceSSLverifyPeerCAfile] |. location of CA file |~ |. [SSLverifyPeerDataMax] |. maximum kBytes of request data buffered during renegotiation |~ |. [ServiceSSLverifyPeerDepth] |. depth of certificate chain |~ |. [ServiceSSLversion] |. SSL version to use |!table| |^ Configuration keywords equivalent to many of these WASD_CONFIG_SERVICE directives but usable against the deprecated WASD_CONFIG_GLOBAL [Service] directive and the /SERVICE qualifier are available for backward compatibility. See section |/Command Line Parameters| in source file [SRC.HTTPD]SERVICE.C for a list of these keywords. |2Directive Detail| |^ Some of these directives control the behaviour of proxy services. Other directive are Secure Sockets Layer (SSL) specific. |number| |item| |*.[[virtual-service]]|| |/.(default: |/none||)|| |^ Specifies the scheme, host name (or asterisk) and port of a service. |item| |*.[ServiceAdmin] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)| |^ Marks the port as |/administration| service (|link|Administration Services||). |item| |*.[ServiceBind] |/literal address|||| |/.(default: |/none||)| |^ If the system has a multi-homed network interface this binds the service to the specific IP address and not to INADDR_ANY. Generally this will not be necessary. The literal address may be in IPv4 dotted-decimal or IPv6 normal or compressed hexdecimal. |item| |*.[ServiceBodyTag] |/string|||| |/.(default: )|| |^ Specifies the HTML tag for server error and other report pages. This allows some measure of site "look-and-feel" in page colour, background, etc. to be maintained. |item| |*.[ServiceClientSSL] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)| |^ Enables a proxy service to |/originate| HTTP-over-SSL requests. This is different to the CONNECT service enabled using [ServiceProxySSL]. It allows requests to be gatewayed between standard HTTP and Secure Sockets Layer. |note><| |0TLS/SSL Configuration| See |link%|../features/##Transport Layer Security| of |link%|../features/##|WASD Features and Facilities||. |!note| |item| |*.[ServiceClientSSLcert] |/string|||| |/.(default: none)| |^ Location of client certificate file if required to authenticate client connection. |item| |*.[ServiceClientSSLcipherList] |/string|||| |/.(default: none)| |item| |*.[ServiceClientSSLkey] |/string|||| |/.(default: none)| |^ Location of client private key file if required to authenticate client connection. |^ A comma-separated list of SSL ciphers to be used by the gateway to connect to SSL services. The use of this parameter might allow the selection of stronger ciphers to be forced to be used or the connection not allowed to procede. |note| These |/ServiceClientSSL..| directives are used to control behaviour when outgoing SSL connections are established (as with HTTP-to-SSL gatewaying). This should not be confused with verification of client certificates, which is better refered to as peer verification. See [ServiceSSLverifyPeer] and [ServiceSSLverifyPeerCAfile] directives. |!note| |item| |*.[ServiceClientSSLverifyCA] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)| |^ Unless this directive is enabled the Certificate Authority (CA) used to issue the service's certificate is not verified. Requires that a CA file be provided. See note in [ServiceClientSSLcipherList] above. |item| |*.[ServiceClientSSLCaFile] |/string|||| |/.(default: none)| |^ Specifies the location of the collection of Certificate Authority (CA) certificates used to verify the connected-to server's certificate (VMS file specification). See note in [ServiceClientSSLcipherList] above. |item| |*.[ServiceClientSSLversion] |/string|||| |/.(default: SSLV2/V3)| |^ The abbreviation for the SSL protocol version to be used to connect to the SSL service. See note in [ServiceClientSSLcipherList] above. |item| |*.[ServiceConnect] |/string|||| |/.(default: none)| |^ Request-on-connects do not wait for client data but immediately generate a pseudo request for that service which can be detected and mapped for processing by the server. |^ See |link|Service Examples||. |item| |*.[ServiceErrorReportPath] |/string|||| |/.(default: none)| |^ Specifies the |*URL-format path| to an optional, error reporting SSI document or script (|link|Error Reporting||). This path can subsequently be remapped during request processing. |item| |*.[ServiceHttp2Protocol] |=ENABLED\|DISABLED|||| |/.(default: ENABLED)| |^ When HTTP/2 is enabled globally this allows an HTTP/1.|/n||-only service to be defined. |^ See |link%|../features/##HTTP/2| of |link%|../features/##|WASD Features and Facilities||. |item| |*.[ServiceLogFormat] |/string|||| |/.(default: none)| |^ Per-service access log format. See |\(hd_log_format)||. |item| |*.[ServiceNoLog] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)| |^ When request logging is enabled then by default all services are logged. This directive allows logging to be suppressed for this service. |item| |*.[ServiceNonSSLRedirect] |=[code][host-name\|IP-address][:port]|||| |/.(default: none)| |^ The default behaviour when a non-SSL HTTP request is begun on an SSL service is to return a 400 error and short message. This directive instead redirects the client to the specified non-SSL service. The parameter can be an optional scheme (i.e. http:// or https://), optional full host name or IP address with optional port, or only a colon-delimited port number which will redirect using the current service name. A single colon is the minimum parameter and redirects to port 80 on the current service name. The default redirect code is 307 but this can be changed by providing a leading 301 or 302. |item| |*.[ServiceProxy] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)| |^ Enables and disables proxy request processing for this service. |item| |*.[ServiceProxyAffinity] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)|| |^ Uses cookies to allow the proxy server to make every effort to relay successive requests from a given client to the same origin host. This is also known as client to origin affinity or proxy affinity capability. |item| |*.[ServiceProxyAuth] |=|/none|| CHAIN\|LOCAL\|NONE\|PROXY|||| |/.(default: none)| |^ Makes a proxy service require authorization before a client is allowed access via it. |=CHAIN| allows an up-stream proxy server to request authorization. |=LOCAL| enables standard server authorization. |=NONE| disables authorization (default). |=PROXY| enables HTTP proxy authorization. authentication. |item| |*.[ServiceProxyCache] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)|| |^ Enables and disables proxy caching for a proxy service. |item| |*.[ServiceProxyChain] |/string|||| |/.(default: none)| |^ Specifies the next proxy host if chained. |item| |*.[ServiceProxyChainCred] |/string|||| |/.(default: none)| |^ Credentials for the up-stream proxy server (BASIC authentication only); in the format |/username:password||. |item| |*.[ServiceProxyTunnel] |=CONNECT\|FIREWALL\|RAW|||| |/.(default: none)| |^ Transfers octets through the proxy server. |=FIREWALL| accepts a host and port specification before connecting. |=CONNECT| is the traditional CONNECT protocol. |=RAW| connects to a configured host an port. |item| |*.[ServiceProxySSL] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)| |^ Specifies the service as providing proxying of SSL requests. This is sometimes refered as a "CONNECT" service. This proxies "https:" requests directly and is different to the HTTP-to-SSL proxying enabled using [ServiceProxyHttpSSL]. |item| |*.[ServiceRawSocket] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)|| |^ Enable "RawSocket" processing on the service. See the chapter on WebSocket scripting in |link%|../scripting/##WebSocket| in |link%|../scripting/##|WASD Web Services - Scripting| |item| |*.[ServiceShareSSH] |/integer|||| |/.(default: 0 (disabled))| |^ Non-zero enables service sharing with an SSH server and sets the number of seconds for input timeout. |^ See |link%|../features/##Shared SSH Tunnel| of |link%|../features/##|WASD Features and Facilities||. |item| |*.[ServiceSSLcert] |/string|||| |/.(default: none)| |^ Specifies the location of the SSL certificates (VMS file specification). |note><| |0TLS/SSL Configuration| See |link%|../features/##Transport Layer Security| of |link%|../features/##|WASD Features and Facilities||. |!note| |item| |*.[ServiceSSLcipherList] |/string|||| |/.(default is OpenSSL defined)| |^ A colon-separated list (OpenSSL syntax) of <= TLSv2.0 ciphers allowed to be used by clients to connect to TLS services. The use of this parameter might allow the selection of stronger ciphers to be forced to be used or the connection not allowed to procede. |item| |*.[ServiceSSLcipherSuites] |/string|||| |/.(default is OpenSSL defined)| |^ A colon-separated list (OpenSSL syntax) of >= TLSv3.0 ciphers allowed to be used by clients to connect to TLS services. The use of this parameter might allow the selection of stronger ciphers to be forced to be used or the connection not allowed to procede. |item| |*.[ServiceSSLkey] |/string|||| |/.(default: none)| |^ Specifies the location of the SSL private key (VMS file specification). |item| |*.[ServiceSSLsessionLifetime] |/hh:mm:ss|||| |/.(no default)| |^ The default maximum period for session reuse is five minutes. This is the per-service equivalent of the global directive [SSLsessionLifetime]. |item| |*.[ServiceSSLstrictTransSec] |/hh:mm:ss|||| |/.(no default)| |^ When non-zero represents the number of seconds, or maximum age, of a HSTS "Strict-Transport-Security:" response header field. See |link%|../features/##Transport Layer Security| of |link%|../features/##|WASD Features and Facilities||. There is an equivalent global directive. |item| |*.[ServiceSSLverifyPeer] |=ENABLED\|DISABLED|||| |/.(default: DISABLED)|| |^ To access this service a client must provide a verified CA client certificate. |item| |*.[ServiceSSLverifyPeerCAfile] |/string|||| |/.(default: none)| |^ Specifies the location of the collection of Certificate Authority (CA) certificates used to verify a peer certificate (VMS file specification). |item| |*.[ServiceSSLverifyPeerDataMax] |/integer|||| |/.(default: 1024)|| |^ When a client certificate is requested for authentication via TLS/SSL renegotiation this is the maximum kilobytes POST/PROPFIND/PUT data buffered during the renegotiation. There is an equivalent global directive. |item| |*.[SSLverifyPeerDepth] |/integer|||| |/.(default: 0)|| |^ Level through a certificate chain a client is verified to. |item| |*.[ServiceSSLversion] |/string|||| |/.(default: TLS family of protocols)| |^ The abbreviation for the TLS/SSL protocol version allowed to be used to connect to an SSL service. Using the directive a service may select prefered protocols. |!number| |2Administration| |^ A service configuration file can be maintained using a simple text editor and WASD_CONFIG_SERVICE. |^ Alternatively the Server Administration facility may be used When using this interface for the first time ensure the WASD_CONFIG_SERVICE logical is correctly defined. If the file did not exist at server startup any services will have been created from the WASD_CONFIG_GLOBAL [Service] directive. These will be displayed as the existing services and will be saved to the configuration file the first time it is saved. Changes to the service configuration file require a server restart to put them into effect. |^ The [IncludeFile] is a directive common to all WASD configuration, allowing a separate file to be included as a part of the current configuration (|link|Include File Directive||). |^ Not all configuration directives may be shown depending on the type of service. For instance, unless a service is configured to provide proxy, only the [ServiceProxy] directive is displayed. To fully configure such a service enable it as proxy, save the file, then reload it. The additional directives will now be available. |^ There is always one empty service displayed each time the configuration menu is generated. This information may be changed appropriately and then saved to add new services to the configuration (of course, these will not be available until the server is restarted). To configure multiple new services add one at a time, saving each and reloading the file to provide a new blank service. |2Service Examples| |number| |item| The following example shows three services being configured. The first is standard HTTP on the default (and well-known) port 80. The second is a proxy service on port 8080. This service provides both standard HTTP (with response caching enabled), SSL (connect:) access and proxy authorization required. The third service is SSL, with a host-specific certificate and key. |code| [[http://alpha.example.com:80]] [[http://alpha.example.com:8080]] [ServiceProxy] enabled [ServiceProxyAuth] PROXY [ServiceProxyCache] enabled [ServiceProxySSL] enabled [[https://alpha.example.com:443]] [ServiceSSLcert] WASD_ROOT:[local]alpha.pem |!code| |item| This example shows a generic service service being configured on the well-known port 80. |code| [[http://*:80]] |!code| If a cluster of four systems, ALPHA, BETA, GAMMA and DELTA all use this configuration each will have a service accessible via the following four URLs. |code| http://alpha.example.com/ http://beta.example.com/ http://gamma.example.com/ http://delta.example.com/ |!code| |item| The following example show two services configured against specific IP addresses. The first is an IPv4 and the second a compressed IPv6. |code| [[http://alpha.example.com:80]] [ServiceBind] 168.192.0.3 [[https://alpha6.example.com:80]] [ServiceBind] fe80::200:f8ff:fe24:1a22 |!code| |item| An |/administration port| is a special configuration used to support the Server Administration facility when multiple per-node instances are configured See description above. |code| [[https://alpha.example.com:44443]] [ServiceAdmin] enabled [ServiceSSLcert] WASD_ROOT:[local]alpha.pem [ServiceSSLkey] WASD_ROOT:[local]alpha.pem |!code| |item| |^ A classic [ServiceConnect] use case is to generate a response when a port is connected to. In this example, a disabled telnet service. |code| # WASD_CONFIG_SERVICE [[http://*:23]] [ServiceConnect] enabled |!code| |code| # WASD_CONFIG_MAP # TELNET port advisory [[*:23]] pass * /web/online/port23.txt response=var=crlf |!code| |code| $ TYPE WEB:[ONLINE]PORT23.TXT ************************************************ TELNET terminal access to the.host.name is unavailable! Please use the instructions available at... https://the.host.name/online/ssh ************************************************ |!code| |^ While the above example shows a simple |/pass| to a static file, the mapping could just as simply been mapped to a script to provide a more dynamic response. |code| # WASD_CONFIG_MAP # TELNET port advisory [[*:23]] map * /cgi-bin/port23 |...| exec /cgi-bin/* /cgi-bin/* |!code| |!number|