Defining Web rules: Difference between revisions
m (clarify ALLOW rule for SSL and non-SSL) |
m (typo) |
||
(7 intermediate revisions by 2 users not shown) | |||
Line 29: | Line 29: | ||
Here is a typical set of rules for defining a <var class="product">Janus Web Server</var> port, | Here is a typical set of rules for defining a <var class="product">Janus Web Server</var> port, | ||
associating Web rules with it, and starting it: | associating Web rules with it, and starting it: | ||
<p class="code">* First make sure the port definition isn't | <p class="code">* First make sure the port definition isn't already there: | ||
* | * | ||
JANUS FORCE WEBBY | JANUS FORCE WEBBY | ||
JANUS DELETE WEBBY | JANUS DELETE WEBBY | ||
* | * | ||
* Then define WEBBY at port 80, allowing 300 | * Then define WEBBY at port 80, allowing 300 connections, | ||
* | * opening a file and executing a UTABLE command: | ||
* | * | ||
JANUS DEFINE WEBBY 80 WEBSERV 300 WEBUSER - | JANUS DEFINE WEBBY 80 WEBSERV 300 WEBUSER - | ||
Line 43: | Line 41: | ||
CMD 'UTABLE LSTBL 12000' | CMD 'UTABLE LSTBL 12000' | ||
* | * | ||
* Then define a group of IP addresses that will | * Then define a group of IP addresses that will be granted | ||
* | * access to the port (deleting previous definitions first): | ||
* | * | ||
JANUS DELETEIPGROUP PRIVILEGED | JANUS DELETEIPGROUP PRIVILEGED | ||
Line 51: | Line 48: | ||
198.242.244.0-3 169.231.0.0-24 184.194.222.7 | 198.242.244.0-3 169.231.0.0-24 184.194.222.7 | ||
* | * | ||
* Then define a group of user IDs that will be | * Then define a group of user IDs that will be granted access | ||
* | * to the port (deleting previous definitions first): | ||
* | * | ||
JANUS DELETEUSGROUP CLOWNS | JANUS DELETEUSGROUP CLOWNS | ||
JANUS DEFINEUSGGROUP CLOWNS MILKY* BOZO* | JANUS DEFINEUSGGROUP CLOWNS MILKY* BOZO* | ||
* | * | ||
* Specify any redirection — here we transfer | * Specify any redirection — here we transfer any requests | ||
* | * for Java applications to another web server: | ||
* | * | ||
JANUS WEB WEBBY NOREDIRECT | JANUS WEB WEBBY NOREDIRECT | ||
Line 66: | Line 61: | ||
http://sirius-software.com:8080/java/*.jav | http://sirius-software.com:8080/java/*.jav | ||
* | * | ||
* Revoke all access globally to clear old rules, | * Revoke all access globally to clear old rules, then re-grant | ||
* | * access based on the above-defined groups: | ||
* | * | ||
JANUS WEB WEBBY DISALLOW * | JANUS WEB WEBBY DISALLOW * | ||
Line 75: | Line 69: | ||
JANUS WEB WEBBY DISALLOW IPADDR 198.242.244.41 | JANUS WEB WEBBY DISALLOW IPADDR 198.242.244.41 | ||
* | * | ||
* Specify content type with the TYPE subcommand | * Specify content type with the TYPE subcommand: | ||
* | * | ||
JANUS WEB WEBBY TYPE *.PDF application/pdf | JANUS WEB WEBBY TYPE *.PDF application/pdf | ||
* | * | ||
* Use "ON" commands to specify actions that are | * Use "ON" commands to specify actions that are taken | ||
* | * when incoming requests contain the specified string: | ||
* | * | ||
JANUS WEB WEBBY ON /*.HTML SEND HTML_* | JANUS WEB WEBBY ON /*.HTML SEND HTML_* | ||
Line 91: | Line 84: | ||
Each execution of a <var>[[JANUS WEB]]</var> subcommand adds to the set of rules for | Each execution of a <var>[[JANUS WEB]]</var> subcommand adds to the set of rules for | ||
the specified <var class="product">Web Server</var> port. | the specified <var class="product">Web Server</var> port. | ||
Individual rules cannot be deleted nor | Individual rules cannot be deleted nor modified; all rules can be deleted only by stopping and deleting the | ||
modified; all rules can be deleted only by stopping and deleting the | |||
port definition. | port definition. | ||
However, this should not be necessary, as long as you | However, this should not be necessary, as long as you follow two guidelines: | ||
follow two guidelines: | |||
<ol> | <ol> | ||
<li>Specify the most general rules first and most specific last. | <li>Specify the most general rules first and most specific last. | ||
Line 105: | Line 96: | ||
defined. | defined. | ||
For example, look at the <var>[[JANUS WEB ALLOW|ALLOW]]</var> directives: | For example, look at the <var>[[JANUS WEB ALLOW|ALLOW]]</var> directives: | ||
The first rule | The first rule eliminates all previous permissions with a <code>DISALLOW *</code> before any <var>ALLOW</var>s | ||
eliminates all previous permissions with a <code>DISALLOW *</code> before any <var>ALLOW</var>s | |||
are specified. | are specified. | ||
The <var>[[JANUS DEFINE]]</var> command near the top of the sample rules specifies a World | The <var>[[JANUS DEFINE]]</var> command near the top of the sample rules specifies a World | ||
Wide Web server to be created at port 80 and to be called <code>WEBBY</code>. | Wide Web server to be created at port 80 and to be called <code>WEBBY</code>. | ||
It | It allows up to 300 simultaneous connections, and connections requesting | ||
allows up to 300 simultaneous connections, and connections requesting | URLs that don't require logons will appear in <var class="product">Model 204</var> as being | ||
URLs that don't require logons will appear in <var class="product">Model 204</var> as being | associated with the user ID <code>WWWUSER</code> (in the journal, in <var>LOGWHO</var> commands, etc.). | ||
associated with the | |||
commands, etc.). | |||
A group named <code>WEBDOCS</code> is opened. | A group named <code>WEBDOCS</code> is opened. | ||
The <code>CMD</code> sets <var>LSTBL</var> to 12000 for WWW | The <code>CMD</code> sets <var>LSTBL</var> to 12000 for WWW users. | ||
users. | |||
URL processing is handled by rules specified on <var>JANUS WEB</var> | URL processing is handled by rules specified on <var>JANUS WEB</var> | ||
subcommands — this is the default processing when <var>CMD</var> doesn't re-route | subcommands — this is the default processing when <var>CMD</var> doesn't re-route | ||
processing to either an APSY or a <var class="product"> | processing to either an APSY or a <var class="product">SOUL</var> procedure. | ||
The <var>JANUS WEB</var> subcommand defines how the web server will act. | The <var>JANUS WEB</var> subcommand defines how the web server will act. | ||
Line 173: | Line 160: | ||
==Automatic Web rules== | ==Automatic Web rules== | ||
As an aid to initially setting up and testing server ports, Janus Web Server | As an aid to initially setting up and testing server ports, Janus Web Server currently applies the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied <var>JANUS WEB</var> rules: | ||
<p class="code">JANUS WEB <i>portname</i> | <p class="code">JANUS WEB <i>portname</i> DISALLOW * | ||
JANUS WEB <i>portname</i> TYPE ANY * TEXT/PLAIN | JANUS WEB <i>portname</i> TYPE ANY * TEXT/PLAIN | ||
JANUS WEB <i>portname</i> TYPE ANY *.HTML TEXT/HTML | JANUS WEB <i>portname</i> TYPE ANY *.HTML TEXT/HTML | ||
Line 198: | Line 185: | ||
</p></li> | </p></li> | ||
<li>Prior to Model 204 | <li>Prior to Model 204 version 7.6, the default <var>ALLOW</var> rule for non-SSL Web ports was: | ||
<p class="code">JANUS WEB <i>portname</i> ALLOW * | <p class="code">JANUS WEB <i>portname</i> ALLOW * | ||
</p> | </p> | ||
<p> | <p> | ||
This rule | This rule made all non-SSL web pages public. Model 204 7.6 maintenance zaps change the automatic <var>ALLOW</var> rule to: </p> | ||
<p class="code">JANUS WEB <i>portname</i> | <p class="code">JANUS WEB <i>portname</i> DISALLOW * | ||
</p> | </p> | ||
<p> | <p> | ||
This | This rule means that a system administrator must explicitly define <var>ALLOW</var> rules to enable users to access non-SSL ports. </p> | ||
<blockquote class="note"><b> | <blockquote class="note"><b>Notes:</b> | ||
<p class="code">ALLOW * USER <i>user</i> </p> | <ul> | ||
<li>With version 7.6 zap 76Z090 or version 7.7 zap 77Z420, you can make the default <var>ALLOW</var> rule as it was in version 7.5 and earlier (<code>ALLOW *</code>) by turning on the 1 bit of the <var>[[WEBDFLT parameter|WEBDFLT]]</var> parameter: | |||
<p class="code">RESET WEBDFLT=1</p></li> | |||
<li>If the Janus port definition includes the <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter, the default <var>DISALLOW/ALLOW</var> rule was and is: | |||
<p class="code">JANUS WEB <i>portname</i> DISALLOW * | |||
JANUS WEB <i>portname</i> ALLOW * USER <i>user</i> </p></li> | |||
</ul> | |||
</blockquote ></li> | </blockquote ></li> | ||
</ul> | </ul> |
Latest revision as of 20:50, 10 February 2017
Other web servers usually have a configuration file which defines the rules by which the server will run. The Janus Web Server uses Janus subcommands. These subcommands are typically executed in Model 204's CCAIN stream or from a procedure. Because the rules become complex, and because Janus allows the rules to be changed while the server is running, it is useful to keep the commands for defining a particular port in a Model 204 procedure.
For information about the actions taken for the various subcommands of the JANUS DEFINE and JANUS WEB commands, see Command execution order.
Any number of web clients may simultaneously access a Model 204 Online that has Janus Web Server, limited only by the number of Janus Web Server threads the site is licensed for.
Each web server is associated with a specific port number. By convention, web servers usually run at port 80, and test ports typically use ports 8000, 8001, and 8080. However, you may use any port number available on the Janus TCP/IP Base, from 1 to 65535. If you want to have multiple port numbers available for web clients, issue JANUS DEFINE commands for WEB servers at those port numbers.
Sample Web rules deck
Here is a typical set of rules for defining a Janus Web Server port, associating Web rules with it, and starting it:
* First make sure the port definition isn't already there: * JANUS FORCE WEBBY JANUS DELETE WEBBY * * Then define WEBBY at port 80, allowing 300 connections, * opening a file and executing a UTABLE command: * JANUS DEFINE WEBBY 80 WEBSERV 300 WEBUSER - WWWUSER OPEN GROUP WEBDOCS - CMD 'UTABLE LSTBL 12000' * * Then define a group of IP addresses that will be granted * access to the port (deleting previous definitions first): * JANUS DELETEIPGROUP PRIVILEGED JANUS DEFINEIPGROUP PRIVILEGED - 198.242.244.0-3 169.231.0.0-24 184.194.222.7 * * Then define a group of user IDs that will be granted access * to the port (deleting previous definitions first): * JANUS DELETEUSGROUP CLOWNS JANUS DEFINEUSGGROUP CLOWNS MILKY* BOZO* * * Specify any redirection — here we transfer any requests * for Java applications to another web server: * JANUS WEB WEBBY NOREDIRECT JANUS WEB WEBBY REDIRECT *.jav - http://sirius-software.com:8080/java/*.jav * * Revoke all access globally to clear old rules, then re-grant * access based on the above-defined groups: * JANUS WEB WEBBY DISALLOW * JANUS WEB WEBBY ALLOW IPGROUP PRIVILEGED JANUS WEB WEBBY ALLOW USGROUP CLOWNS JANUS WEB WEBBY DISALLOW IPADDR 198.242.244.41 * * Specify content type with the TYPE subcommand: * JANUS WEB WEBBY TYPE *.PDF application/pdf * * Use "ON" commands to specify actions that are taken * when incoming requests contain the specified string: * JANUS WEB WEBBY ON /*.HTML SEND HTML_* JANUS WEB WEBBY ON /*.GIF SEND GIF_* JANUS WEB WEBBY ON /COMMAND/* CMD * JANUS START WEBBY
Each execution of a JANUS WEB subcommand adds to the set of rules for the specified Web Server port. Individual rules cannot be deleted nor modified; all rules can be deleted only by stopping and deleting the port definition. However, this should not be necessary, as long as you follow two guidelines:
- Specify the most general rules first and most specific last.
- Specify a first rule that will clear all related rules.
That is why the above examples specify a global rule first that revokes
all previous definitions before new privileges or directives are
defined.
For example, look at the ALLOW directives:
The first rule eliminates all previous permissions with a DISALLOW *
before any ALLOWs
are specified.
The JANUS DEFINE command near the top of the sample rules specifies a World
Wide Web server to be created at port 80 and to be called WEBBY
.
It allows up to 300 simultaneous connections, and connections requesting
URLs that don't require logons will appear in Model 204 as being
associated with the user ID WWWUSER
(in the journal, in LOGWHO commands, etc.).
A group named WEBDOCS
is opened.
The CMD
sets LSTBL to 12000 for WWW users.
URL processing is handled by rules specified on JANUS WEB
subcommands — this is the default processing when CMD doesn't re-route
processing to either an APSY or a SOUL procedure.
The JANUS WEB subcommand defines how the web server will act. Most of the other commands are common to any Janus port.
Command execution order
JANUS WEB rules are executed in a strict order which guarantees consistent access control and processing for URLs.
That order is:
- OPEN and CMD processing from the JANUS DEFINE subcommand.
These commands are always the first to execute on any port. For Web Servers, the OPEN command might open the file containing HTML procedures, and the CMD command can be used to reset UTABLE settings.
- REDIRECT/NOREDIRECT
Any requests that are being handled outside the Web Server are immediately routed out.
- ALLOW/DISALLOW
Access security rules are applied. Anytime a
USER
orUSGROUP
is specified, Model 204 logon processing is invoked. - JANUS WEB TYPE definitions
Datatype (mime) specifications are applied to URLs.
- OPEN and CMD processing from the JANUS DEFINE command
The OPEN and CMD commands on the DEFINE command can initiate a generic web driver procedure to be used to collect usage activity for the port — perhaps based on URL, user ID, or IP address.
- JANUS WEB ON directives
The OPEN parameter in an ON rule opens a file or group specific to the URL, and the CMD, SEND, or RECEIVE parameter indicates the action to be taken for matching URLs.
Within the above order, the JANUS WEB rules are searched in reverse order for the first match; that is, the last matching rule specified takes precedence over all previous rules.
Automatic Web rules
As an aid to initially setting up and testing server ports, Janus Web Server currently applies the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied JANUS WEB rules:
JANUS WEB portname DISALLOW * JANUS WEB portname TYPE ANY * TEXT/PLAIN JANUS WEB portname TYPE ANY *.HTML TEXT/HTML JANUS WEB portname TYPE ANY / TEXT/HTML JANUS WEB portname TYPE ANY *.HTM TEXT/HTML JANUS WEB portname TYPE ANY *.GIF IMAGE/GIF JANUS WEB portname TYPE ANY *.JPEG IMAGE/JPEG JANUS WEB portname TYPE ANY *.JPG IMAGE/JPEG
These rules take effect for a Janus port specified by a JANUS DEFINE portname command.
Notes
- Prior to Model 204 version 7.6, the following two rules were also automatically in force as soon as a port was defined:
JANUS WEB portname ON / OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.HOMEPAGE.HTML' JANUS WEB portname ON /JANWEB/* OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.*'
These rules set up access to the Janus Web sample home page and to demonstration application procedures. As of Model 204 7.6, there are no automatic JANUS WEB ON rules, so the above rules need to be manually added to a port just like any other rules.
Furthermore, as of RKTools version 7.7, the code for the Janus Network Security SSL maintenance application, which provides for generation of self-signed security certificates and certificate requests, and the code for the Janus Web demonstration applications resides in the
M204PROC
file instead of in theSIRIUS
file. To get the same access to a web port that the old automatic rules provided, these are the rules to add manually for the port:JANUS WEB portname ON / OPEN FILE M204PROC CMD 'INCLUDE JANWEB.HOMEPAGE.HTML' JANUS WEB portname ON /JANWEB/* OPEN FILE M204PROC CMD 'INCLUDE JANWEB.*'
- Prior to Model 204 version 7.6, the default ALLOW rule for non-SSL Web ports was:
JANUS WEB portname ALLOW *
This rule made all non-SSL web pages public. Model 204 7.6 maintenance zaps change the automatic ALLOW rule to:
JANUS WEB portname DISALLOW *
This rule means that a system administrator must explicitly define ALLOW rules to enable users to access non-SSL ports.
Notes:
- With version 7.6 zap 76Z090 or version 7.7 zap 77Z420, you can make the default ALLOW rule as it was in version 7.5 and earlier (
ALLOW *
) by turning on the 1 bit of the WEBDFLT parameter:RESET WEBDFLT=1
- If the Janus port definition includes the SSL parameter, the default DISALLOW/ALLOW rule was and is:
JANUS WEB portname DISALLOW * JANUS WEB portname ALLOW * USER user
- With version 7.6 zap 76Z090 or version 7.7 zap 77Z420, you can make the default ALLOW rule as it was in version 7.5 and earlier (