Defining Web rules: Difference between revisions
m (minor formatting) |
m (clarify ALLOW rule for SSL and non-SSL) |
||
Line 174: | Line 174: | ||
==Automatic Web rules== | ==Automatic Web rules== | ||
As an aid to initially setting up and testing server ports, Janus Web Server always applies the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied <var>JANUS WEB</var> rules: | As an aid to initially setting up and testing server ports, Janus Web Server always applies the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied <var>JANUS WEB</var> rules: | ||
<p class="code">JANUS WEB <i>portname</i> ALLOW * | <p class="code">JANUS WEB <i>portname</i> ALLOW * USER * | ||
JANUS WEB <i>portname</i> TYPE ANY * TEXT/PLAIN | JANUS WEB <i>portname</i> TYPE ANY * TEXT/PLAIN | ||
JANUS WEB <i>portname</i> TYPE ANY *.HTML TEXT/HTML | JANUS WEB <i>portname</i> TYPE ANY *.HTML TEXT/HTML | ||
JANUS WEB <i>portname</i> TYPE ANY / TEXT/HTML | JANUS WEB <i>portname</i> TYPE ANY / TEXT/HTML | ||
JANUS WEB <i>portname</i> TYPE ANY *.HTM TEXT/HTML | JANUS WEB <i>portname</i> TYPE ANY *.HTM TEXT/HTML | ||
JANUS WEB <i>portname</i> TYPE ANY *.GIF IMAGE/GIF | JANUS WEB <i>portname</i> TYPE ANY *.GIF IMAGE/GIF | ||
JANUS WEB <i>portname</i> TYPE ANY *.JPEG IMAGE/JPEG | JANUS WEB <i>portname</i> TYPE ANY *.JPEG IMAGE/JPEG | ||
JANUS WEB <i>portname</i> TYPE ANY *.JPG IMAGE/JPEG | JANUS WEB <i>portname</i> TYPE ANY *.JPG IMAGE/JPEG </p> | ||
These rules take effect for a Janus port specified by a <var>JANUS DEFINE <i>portname</i></var> command. | These rules take effect for a Janus port specified by a <var>JANUS DEFINE <i>portname</i></var> command. | ||
Line 198: | Line 198: | ||
</p></li> | </p></li> | ||
<li>Prior to Model 204 V7.6, there was a single default <var>ALLOW</var> rule: | <li>Prior to Model 204 V7.6, there was a single default <var>ALLOW</var> rule: | ||
<p class="code">JANUS WEB <i>portname</i> ALLOW * | <p class="code">JANUS WEB <i>portname</i> ALLOW * | ||
</p> | </p> | ||
Line 206: | Line 206: | ||
</p> | </p> | ||
<p> | <p> | ||
This slightly more formal version of the rule allows all users to see all pages, but it requires that the user have a valid user ID. In cases where a default <code>WEBUSER</code> ID is specified on the port definition, non-logged-in users will have that default ID. </p></li> | This slightly more formal version of the rule allows all users to see all pages, but it requires that the user have a valid user ID. In cases where a default <code>WEBUSER</code> ID is specified on the port definition, non-logged-in users will have that default ID. </p> | ||
<blockquote class="note"><b>Note:</b> If the Janus port definition includes the <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter, the default <var>ALLOW</var> rule was and is: | |||
<p class="code">ALLOW * USER <i>user</i> </p> | |||
</blockquote ></li> | |||
</ul> | </ul> | ||
Revision as of 21:09, 4 January 2017
Other web servers usually have a configuration file which defines the rules by which the server will run. The Janus Web Server uses Janus subcommands. These subcommands are typically executed in Model 204's CCAIN stream or from a procedure. Because the rules become complex, and because Janus allows the rules to be changed while the server is running, it is useful to keep the commands for defining a particular port in a Model 204 procedure.
For information about the actions taken for the various subcommands of the JANUS DEFINE and JANUS WEB commands, see Command execution order.
Any number of web clients may simultaneously access a Model 204 Online that has Janus Web Server, limited only by the number of Janus Web Server threads the site is licensed for.
Each web server is associated with a specific port number. By convention, web servers usually run at port 80, and test ports typically use ports 8000, 8001, and 8080. However, you may use any port number available on the Janus TCP/IP Base, from 1 to 65535. If you want to have multiple port numbers available for web clients, issue JANUS DEFINE commands for WEB servers at those port numbers.
Sample Web rules deck
Here is a typical set of rules for defining a Janus Web Server port, associating Web rules with it, and starting it:
* First make sure the port definition isn't * already there. * JANUS FORCE WEBBY JANUS DELETE WEBBY * * Then define WEBBY at port 80, allowing 300 * connections, opening a file and executing a * UTABLE command. * JANUS DEFINE WEBBY 80 WEBSERV 300 WEBUSER - WWWUSER OPEN GROUP WEBDOCS - CMD 'UTABLE LSTBL 12000' * * Then define a group of IP addresses that will * be granted access to the port (deleting previous * definitions first). * JANUS DELETEIPGROUP PRIVILEGED JANUS DEFINEIPGROUP PRIVILEGED - 198.242.244.0-3 169.231.0.0-24 184.194.222.7 * * Then define a group of user IDs that will be * granted access to the port (deleting previous * definitions first). * JANUS DELETEUSGROUP CLOWNS JANUS DEFINEUSGGROUP CLOWNS MILKY* BOZO* * * Specify any redirection — here we transfer * any requests for Java applications to another * web server. * JANUS WEB WEBBY NOREDIRECT JANUS WEB WEBBY REDIRECT *.jav - http://sirius-software.com:8080/java/*.jav * * Revoke all access globally to clear old rules, * then re-grant access based on the above-defined * groups. * JANUS WEB WEBBY DISALLOW * JANUS WEB WEBBY ALLOW IPGROUP PRIVILEGED JANUS WEB WEBBY ALLOW USGROUP CLOWNS JANUS WEB WEBBY DISALLOW IPADDR 198.242.244.41 * * Specify content type with the TYPE subcommand. * JANUS WEB WEBBY TYPE *.PDF application/pdf * * Use "ON" commands to specify actions that are * taken when incoming requests contain the * specified string. * JANUS WEB WEBBY ON /*.HTML SEND HTML_* JANUS WEB WEBBY ON /*.GIF SEND GIF_* JANUS WEB WEBBY ON /COMMAND/* CMD * JANUS START WEBBY
Each execution of a JANUS WEB subcommand adds to the set of rules for the specified Web Server port. Individual rules cannot be deleted nor modified; all rules can be deleted only by stopping and deleting the port definition. However, this should not be necessary, as long as you follow two guidelines:
- Specify the most general rules first and most specific last.
- Specify a first rule that will clear all related rules.
That is why the above examples specify a global rule first that revokes
all previous definitions before new privileges or directives are
defined.
For example, look at the ALLOW directives:
The first rule
eliminates all previous permissions with a DISALLOW *
before any ALLOWs
are specified.
The JANUS DEFINE command near the top of the sample rules specifies a World
Wide Web server to be created at port 80 and to be called WEBBY
.
It
allows up to 300 simultaneous connections, and connections requesting
URLs that don't require logons will appear in Model 204 as being
associated with the userid WWWUSER
(in the journal, in LOGWHO
commands, etc.).
A group named WEBDOCS
is opened.
The CMD
sets LSTBL to 12000 for WWW
users.
URL processing is handled by rules specified on JANUS WEB
subcommands — this is the default processing when CMD doesn't re-route
processing to either an APSY or a User Language procedure.
The JANUS WEB subcommand defines how the web server will act. Most of the other commands are common to any Janus port.
Command execution order
JANUS WEB rules are executed in a strict order which guarantees consistent access control and processing for URLs.
That order is:
- OPEN and CMD processing from the JANUS DEFINE subcommand.
These commands are always the first to execute on any port. For Web Servers, the OPEN command might open the file containing HTML procedures, and the CMD command can be used to reset UTABLE settings.
- REDIRECT/NOREDIRECT
Any requests that are being handled outside the Web Server are immediately routed out.
- ALLOW/DISALLOW
Access security rules are applied. Anytime a
USER
orUSGROUP
is specified, Model 204 logon processing is invoked. - JANUS WEB TYPE definitions
Datatype (mime) specifications are applied to URLs.
- OPEN and CMD processing from the JANUS DEFINE command
The OPEN and CMD commands on the DEFINE command can initiate a generic web driver procedure to be used to collect usage activity for the port — perhaps based on URL, user ID, or IP address.
- JANUS WEB ON directives
The OPEN parameter in an ON rule opens a file or group specific to the URL, and the CMD, SEND, or RECEIVE parameter indicates the action to be taken for matching URLs.
Within the above order, the JANUS WEB rules are searched in reverse order for the first match; that is, the last matching rule specified takes precedence over all previous rules.
Automatic Web rules
As an aid to initially setting up and testing server ports, Janus Web Server always applies the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied JANUS WEB rules:
JANUS WEB portname ALLOW * USER * JANUS WEB portname TYPE ANY * TEXT/PLAIN JANUS WEB portname TYPE ANY *.HTML TEXT/HTML JANUS WEB portname TYPE ANY / TEXT/HTML JANUS WEB portname TYPE ANY *.HTM TEXT/HTML JANUS WEB portname TYPE ANY *.GIF IMAGE/GIF JANUS WEB portname TYPE ANY *.JPEG IMAGE/JPEG JANUS WEB portname TYPE ANY *.JPG IMAGE/JPEG
These rules take effect for a Janus port specified by a JANUS DEFINE portname command.
Notes
- Prior to Model 204 version 7.6, the following two rules were also automatically in force as soon as a port was defined:
JANUS WEB portname ON / OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.HOMEPAGE.HTML' JANUS WEB portname ON /JANWEB/* OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.*'
These rules set up access to the Janus Web sample home page and to demonstration application procedures. As of Model 204 7.6, there are no automatic JANUS WEB ON rules, so the above rules need to be manually added to a port just like any other rules.
Furthermore, as of RKTools version 7.7, the code for the Janus Network Security SSL maintenance application, which provides for generation of self-signed security certificates and certificate requests, and the code for the Janus Web demonstration applications resides in the
M204PROC
file instead of in theSIRIUS
file. To get the same access to a web port that the old automatic rules provided, these are the rules to add manually for the port:JANUS WEB portname ON / OPEN FILE M204PROC CMD 'INCLUDE JANWEB.HOMEPAGE.HTML' JANUS WEB portname ON /JANWEB/* OPEN FILE M204PROC CMD 'INCLUDE JANWEB.*'
- Prior to Model 204 V7.6, there was a single default ALLOW rule:
JANUS WEB portname ALLOW *
This rule makes all web pages public. As of Model 204 V7.6, that automatic ALLOW rule is changed to:
JANUS WEB portname ALLOW * USER *
This slightly more formal version of the rule allows all users to see all pages, but it requires that the user have a valid user ID. In cases where a default
WEBUSER
ID is specified on the port definition, non-logged-in users will have that default ID.Note: If the Janus port definition includes the SSL parameter, the default ALLOW rule was and is:
ALLOW * USER user