Defining Web rules: Difference between revisions

From m204wiki
Jump to navigation Jump to search
m (minor formatting)
Line 193: Line 193:
</p>
</p>
<p>
<p>
This rule means that a system administrator must define the ALLOW rules which are desired for users to access non-SSL ports. </p>
This rule means that a system administrator must explicitly define <var>ALLOW</var> rules to enable users to access non-SSL ports. </p>


<blockquote class="note"><b>Notes:</b>
<blockquote class="note"><b>Notes:</b>
<ul>
<ul>
<li>Starting with version 7.6, if you wish to make the default ALLOW rule as it was in prior versions (<code>ALLOW *</code>), turn on the 1 bit of the <var>[[WEBDFLT parameter|WEBDFLT]]</var> parameter:
<li>Starting with version 7.6, to make the default <var>ALLOW</var> rule as it was in earlier versions (<code>ALLOW *</code>), turn on the 1 bit of the <var>[[WEBDFLT parameter|WEBDFLT]]</var> parameter:
<p class="code">RESET WEBDFLT=1</p>
<p class="code">RESET WEBDFLT=1</p></li>
 
<li>If the Janus port definition includes the <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter, the default <var>DISALLOW/ALLOW</var> rule was and is:  
<li>If the Janus port definition includes the <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter, the default <var>DISALLOW/ALLOW</var> rule was and is:  
<p class="code">JANUS WEB <i>portname</i> DISALLOW *
<p class="code">JANUS WEB <i>portname</i> DISALLOW *
JANUS WEB <i>portname</i> ALLOW * USER <i>user</i> </p>
JANUS WEB <i>portname</i> ALLOW * USER <i>user</i> </p></li>
</ul>
</ul>
</blockquote ></li>
</blockquote ></li>

Revision as of 01:41, 10 February 2017

Other web servers usually have a configuration file which defines the rules by which the server will run. The Janus Web Server uses Janus subcommands. These subcommands are typically executed in Model 204's CCAIN stream or from a procedure. Because the rules become complex, and because Janus allows the rules to be changed while the server is running, it is useful to keep the commands for defining a particular port in a Model 204 procedure.

For information about the actions taken for the various subcommands of the JANUS DEFINE and JANUS WEB commands, see Command execution order.

Any number of web clients may simultaneously access a Model 204 Online that has Janus Web Server, limited only by the number of Janus Web Server threads the site is licensed for.

Each web server is associated with a specific port number. By convention, web servers usually run at port 80, and test ports typically use ports 8000, 8001, and 8080. However, you may use any port number available on the Janus TCP/IP Base, from 1 to 65535. If you want to have multiple port numbers available for web clients, issue JANUS DEFINE commands for WEB servers at those port numbers.

Sample Web rules deck

Here is a typical set of rules for defining a Janus Web Server port, associating Web rules with it, and starting it:

* First make sure the port definition isn't already there: * JANUS FORCE WEBBY JANUS DELETE WEBBY * * Then define WEBBY at port 80, allowing 300 connections, * opening a file and executing a UTABLE command: * JANUS DEFINE WEBBY 80 WEBSERV 300 WEBUSER - WWWUSER OPEN GROUP WEBDOCS - CMD 'UTABLE LSTBL 12000' * * Then define a group of IP addresses that will be granted * access to the port (deleting previous definitions first): * JANUS DELETEIPGROUP PRIVILEGED JANUS DEFINEIPGROUP PRIVILEGED - 198.242.244.0-3 169.231.0.0-24 184.194.222.7 * * Then define a group of user IDs that will be granted access * to the port (deleting previous definitions first): * JANUS DELETEUSGROUP CLOWNS JANUS DEFINEUSGGROUP CLOWNS MILKY* BOZO* * * Specify any redirection — here we transfer any requests * for Java applications to another web server: * JANUS WEB WEBBY NOREDIRECT JANUS WEB WEBBY REDIRECT *.jav - http://sirius-software.com:8080/java/*.jav * * Revoke all access globally to clear old rules, then re-grant * access based on the above-defined groups: * JANUS WEB WEBBY DISALLOW * JANUS WEB WEBBY ALLOW IPGROUP PRIVILEGED JANUS WEB WEBBY ALLOW USGROUP CLOWNS JANUS WEB WEBBY DISALLOW IPADDR 198.242.244.41 * * Specify content type with the TYPE subcommand: * JANUS WEB WEBBY TYPE *.PDF application/pdf * * Use "ON" commands to specify actions that are taken * when incoming requests contain the specified string: * JANUS WEB WEBBY ON /*.HTML SEND HTML_* JANUS WEB WEBBY ON /*.GIF SEND GIF_* JANUS WEB WEBBY ON /COMMAND/* CMD * JANUS START WEBBY

Each execution of a JANUS WEB subcommand adds to the set of rules for the specified Web Server port. Individual rules cannot be deleted nor modified; all rules can be deleted only by stopping and deleting the port definition. However, this should not be necessary, as long as you follow two guidelines:

  1. Specify the most general rules first and most specific last.
  2. Specify a first rule that will clear all related rules.

That is why the above examples specify a global rule first that revokes all previous definitions before new privileges or directives are defined. For example, look at the ALLOW directives: The first rule eliminates all previous permissions with a DISALLOW * before any ALLOWs are specified.

The JANUS DEFINE command near the top of the sample rules specifies a World Wide Web server to be created at port 80 and to be called WEBBY. It allows up to 300 simultaneous connections, and connections requesting URLs that don't require logons will appear in Model 204 as being associated with the user ID WWWUSER (in the journal, in LOGWHO commands, etc.).

A group named WEBDOCS is opened. The CMD sets LSTBL to 12000 for WWW users. URL processing is handled by rules specified on JANUS WEB subcommands — this is the default processing when CMD doesn't re-route processing to either an APSY or a SOUL procedure.

The JANUS WEB subcommand defines how the web server will act. Most of the other commands are common to any Janus port.

Command execution order

JANUS WEB rules are executed in a strict order which guarantees consistent access control and processing for URLs.

That order is:

  1. OPEN and CMD processing from the JANUS DEFINE subcommand.

    These commands are always the first to execute on any port. For Web Servers, the OPEN command might open the file containing HTML procedures, and the CMD command can be used to reset UTABLE settings.

  2. REDIRECT/NOREDIRECT

    Any requests that are being handled outside the Web Server are immediately routed out.

  3. ALLOW/DISALLOW

    Access security rules are applied. Anytime a USER or USGROUP is specified, Model 204 logon processing is invoked.

  4. JANUS WEB TYPE definitions

    Datatype (mime) specifications are applied to URLs.

  5. OPEN and CMD processing from the JANUS DEFINE command

    The OPEN and CMD commands on the DEFINE command can initiate a generic web driver procedure to be used to collect usage activity for the port — perhaps based on URL, user ID, or IP address.

  6. JANUS WEB ON directives

    The OPEN parameter in an ON rule opens a file or group specific to the URL, and the CMD, SEND, or RECEIVE parameter indicates the action to be taken for matching URLs.

Within the above order, the JANUS WEB rules are searched in reverse order for the first match; that is, the last matching rule specified takes precedence over all previous rules.

Automatic Web rules

As an aid to initially setting up and testing server ports, Janus Web Server always applies the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied JANUS WEB rules:

JANUS WEB portname ALLOW * USER * JANUS WEB portname TYPE ANY * TEXT/PLAIN JANUS WEB portname TYPE ANY *.HTML TEXT/HTML JANUS WEB portname TYPE ANY / TEXT/HTML JANUS WEB portname TYPE ANY *.HTM TEXT/HTML JANUS WEB portname TYPE ANY *.GIF IMAGE/GIF JANUS WEB portname TYPE ANY *.JPEG IMAGE/JPEG JANUS WEB portname TYPE ANY *.JPG IMAGE/JPEG

These rules take effect for a Janus port specified by a JANUS DEFINE portname command.

Notes

  • Prior to Model 204 version 7.6, the following two rules were also automatically in force as soon as a port was defined:

    JANUS WEB portname ON / OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.HOMEPAGE.HTML' JANUS WEB portname ON /JANWEB/* OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.*'

    These rules set up access to the Janus Web sample home page and to demonstration application procedures. As of Model 204 7.6, there are no automatic JANUS WEB ON rules, so the above rules need to be manually added to a port just like any other rules.

    Furthermore, as of RKTools version 7.7, the code for the Janus Network Security SSL maintenance application, which provides for generation of self-signed security certificates and certificate requests, and the code for the Janus Web demonstration applications resides in the M204PROC file instead of in the SIRIUS file. To get the same access to a web port that the old automatic rules provided, these are the rules to add manually for the port:

    JANUS WEB portname ON / OPEN FILE M204PROC CMD 'INCLUDE JANWEB.HOMEPAGE.HTML' JANUS WEB portname ON /JANWEB/* OPEN FILE M204PROC CMD 'INCLUDE JANWEB.*'

  • Prior to Model 204 V7.6, the default ALLOW rule for non-SSL Web ports was:

    JANUS WEB portname ALLOW *

    This rule made all non-SSL web pages public. As of Model 204 V7.6, that automatic ALLOW rule is changed to:

    JANUS WEB portname DISALLOW *

    This rule means that a system administrator must explicitly define ALLOW rules to enable users to access non-SSL ports.

    Notes:

    • Starting with version 7.6, to make the default ALLOW rule as it was in earlier versions (ALLOW *), turn on the 1 bit of the WEBDFLT parameter:

      RESET WEBDFLT=1

    • If the Janus port definition includes the SSL parameter, the default DISALLOW/ALLOW rule was and is:

      JANUS WEB portname DISALLOW * JANUS WEB portname ALLOW * USER user

See also