Defining Web rules: Difference between revisions

From m204wiki
Jump to navigation Jump to search
m (typos)
m (typo)
 
(10 intermediate revisions by 3 users not shown)
Line 29: Line 29:
Here is a typical set of rules for defining a <var class="product">Janus Web Server</var> port,
Here is a typical set of rules for defining a <var class="product">Janus Web Server</var> port,
associating Web rules with it, and starting it:
associating Web rules with it, and starting it:
<p class="code">&#42; First make sure the port definition isn't
<p class="code">&#42; First make sure the port definition isn't already there:
&#42; already there.
&#42;
&#42;
JANUS FORCE WEBBY
JANUS FORCE WEBBY
JANUS DELETE WEBBY
JANUS DELETE WEBBY
&#42;
&#42;
&#42; Then define WEBBY at port 80, allowing 300
&#42; Then define WEBBY at port 80, allowing 300 connections,
&#42; connections, opening a file and executing a
&#42; opening a file and executing a UTABLE command:
&#42; UTABLE command.
&#42;
&#42;
JANUS DEFINE WEBBY 80 WEBSERV 300 WEBUSER -
JANUS DEFINE WEBBY 80 WEBSERV 300 WEBUSER -
Line 43: Line 41:
       CMD 'UTABLE LSTBL 12000'
       CMD 'UTABLE LSTBL 12000'
&#42;
&#42;
&#42; Then define a group of IP addresses that will
&#42; Then define a group of IP addresses that will be granted
&#42; be granted access to the port (deleting previous
&#42; access to the port (deleting previous definitions first):
&#42; definitions first).
&#42;
&#42;
JANUS DELETEIPGROUP PRIVILEGED
JANUS DELETEIPGROUP PRIVILEGED
Line 51: Line 48:
       198.242.244.0-3 169.231.0.0-24 184.194.222.7
       198.242.244.0-3 169.231.0.0-24 184.194.222.7
&#42;
&#42;
&#42; Then define a group of user IDs that will be
&#42; Then define a group of user IDs that will be granted access
&#42; granted access to the port (deleting previous
&#42; to the port (deleting previous definitions first):
&#42; definitions first).
&#42;
&#42;
JANUS DELETEUSGROUP CLOWNS
JANUS DELETEUSGROUP CLOWNS
JANUS DEFINEUSGGROUP CLOWNS MILKY* BOZO*
JANUS DEFINEUSGGROUP CLOWNS MILKY* BOZO*
&#42;
&#42;
&#42; Specify any redirection &mdash; here we transfer
&#42; Specify any redirection &mdash; here we transfer any requests
&#42; any requests for Java applications to another
&#42; for Java applications to another web server:
&#42; web server.
&#42;
&#42;
JANUS WEB WEBBY NOREDIRECT
JANUS WEB WEBBY NOREDIRECT
Line 66: Line 61:
       http://sirius-software.com:8080/java/*.jav
       http://sirius-software.com:8080/java/*.jav
&#42;
&#42;
&#42; Revoke all access globally to clear old rules,
&#42; Revoke all access globally to clear old rules, then re-grant
&#42; then re-grant access based on the above-defined
&#42; access based on the above-defined groups:
&#42; groups.
&#42;
&#42;
JANUS WEB WEBBY DISALLOW *
JANUS WEB WEBBY DISALLOW *
Line 75: Line 69:
JANUS WEB WEBBY DISALLOW IPADDR 198.242.244.41
JANUS WEB WEBBY DISALLOW IPADDR 198.242.244.41
&#42;
&#42;
&#42; Specify content type with the TYPE subcommand.
&#42; Specify content type with the TYPE subcommand:
&#42;
&#42;
JANUS WEB WEBBY TYPE *.PDF application/pdf
JANUS WEB WEBBY TYPE *.PDF application/pdf
&#42;
&#42;
&#42; Use "ON" commands to specify actions that are
&#42; Use "ON" commands to specify actions that are taken
&#42; taken when incoming requests contain the
&#42; when incoming requests contain the specified string:
&#42; specified string.
&#42;
&#42;
JANUS WEB WEBBY ON /*.HTML SEND HTML_*
JANUS WEB WEBBY ON /*.HTML SEND HTML_*
Line 91: Line 84:
Each execution of a <var>[[JANUS WEB]]</var> subcommand adds to the set of rules for
Each execution of a <var>[[JANUS WEB]]</var> subcommand adds to the set of rules for
the specified <var class="product">Web Server</var> port.
the specified <var class="product">Web Server</var> port.
Individual rules cannot be deleted nor
Individual rules cannot be deleted nor modified; all rules can be deleted only by stopping and deleting the
modified; all rules can be deleted only by stopping and deleting the
port definition.
port definition.
However, this should not be necessary, as long as you
However, this should not be necessary, as long as you follow two guidelines:
follow two guidelines:
<ol>
<ol>
<li>Specify the most general rules first and most specific last.
<li>Specify the most general rules first and most specific last.
Line 105: Line 96:
defined.
defined.
For example, look at the <var>[[JANUS WEB ALLOW|ALLOW]]</var> directives:
For example, look at the <var>[[JANUS WEB ALLOW|ALLOW]]</var> directives:
The first rule
The first rule eliminates all previous permissions with a <code>DISALLOW *</code> before any <var>ALLOW</var>s
eliminates all previous permissions with a <code>DISALLOW *</code> before any <var>ALLOW</var>s
are specified.
are specified.
   
   
The <var>[[JANUS DEFINE]]</var> command near the top of the sample rules specifies a World
The <var>[[JANUS DEFINE]]</var> command near the top of the sample rules specifies a World
Wide Web server to be created at port 80 and to be called <code>WEBBY</code>.
Wide Web server to be created at port 80 and to be called <code>WEBBY</code>.
It
It allows up to 300 simultaneous connections, and connections requesting
allows up to 300 simultaneous connections, and connections requesting
URLs that don't require logons will appear in <var class="product">Model&nbsp;204</var> as being
URLs that don't require logons will appear in <var class="product">Model 204</var> as being
associated with the user ID <code>WWWUSER</code> (in the journal, in <var>LOGWHO</var> commands, etc.).
associated with the userid <code>WWWUSER</code> (in the journal, in <var>LOGWHO</var>
commands, etc.).
   
   
A group named <code>WEBDOCS</code> is opened.
A group named <code>WEBDOCS</code> is opened.
The <code>CMD</code> sets <var>LSTBL</var> to 12000 for WWW
The <code>CMD</code> sets <var>LSTBL</var> to 12000 for WWW users.
users.
URL processing is handled by rules specified on <var>JANUS WEB</var>
URL processing is handled by rules specified on <var>JANUS WEB</var>
subcommands &mdash; this is the default processing when <var>CMD</var> doesn't re-route
subcommands &mdash; this is the default processing when <var>CMD</var> doesn't re-route
processing to either an APSY or a <var class="product">User Language</var> procedure.
processing to either an APSY or a <var class="product">SOUL</var> procedure.
   
   
The <var>JANUS WEB</var> subcommand defines how the web server will act.
The <var>JANUS WEB</var> subcommand defines how the web server will act.
Line 147: Line 134:
<p>
<p>
Access security rules are applied.
Access security rules are applied.
Anytime a <code>USER</code> or <code>USGROUP</code> is specified, <var class="product">Model204</var> logon processing
Anytime a <code>USER</code> or <code>USGROUP</code> is specified, <var class="product">Model&nbsp;204</var> logon processing
is invoked. </p></li>
is invoked. </p></li>


Line 173: Line 160:


==Automatic Web rules==
==Automatic Web rules==
As an aid to initially setting up and testing server ports, Janus Web Server always includes the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied <var>JANUS WEB</var> rules:
As an aid to initially setting up and testing server ports, Janus Web Server currently applies the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied <var>JANUS WEB</var> rules:
<p class="code">JANUS WEB <i>portname</i> ALLOW *                  
<p class="code">JANUS WEB <i>portname</i> DISALLOW *  
JANUS WEB <i>portname</i> TYPE ANY * TEXT/PLAIN    
JANUS WEB <i>portname</i> TYPE ANY * TEXT/PLAIN  
JANUS WEB <i>portname</i> TYPE ANY *.HTML TEXT/HTML
JANUS WEB <i>portname</i> TYPE ANY *.HTML TEXT/HTML
JANUS WEB <i>portname</i> TYPE ANY / TEXT/HTML      
JANUS WEB <i>portname</i> TYPE ANY / TEXT/HTML
JANUS WEB <i>portname</i> TYPE ANY *.HTM TEXT/HTML  
JANUS WEB <i>portname</i> TYPE ANY *.HTM TEXT/HTML
JANUS WEB <i>portname</i> TYPE ANY *.GIF IMAGE/GIF  
JANUS WEB <i>portname</i> TYPE ANY *.GIF IMAGE/GIF
JANUS WEB <i>portname</i> TYPE ANY *.JPEG IMAGE/JPEG  
JANUS WEB <i>portname</i> TYPE ANY *.JPEG IMAGE/JPEG  
JANUS WEB <i>portname</i> TYPE ANY *.JPG IMAGE/JPEG   </p>                                 
JANUS WEB <i>portname</i> TYPE ANY *.JPG IMAGE/JPEG </p>                                 


These rules take effect for a Janus port specified by a <var>JANUS DEFINE <i>portname</i></var> command.  
These rules take effect for a Janus port specified by a <var>JANUS DEFINE <i>portname</i></var> command.  
Line 191: Line 178:
JANUS WEB <i>portname</i> ON /JANWEB/* OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.*' </p>
JANUS WEB <i>portname</i> ON /JANWEB/* OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.*' </p>
<p>
<p>
These rules set up access to the Janus Web sample home page and to demonstration application procedures. As of Model 204 7.6, there are no automatic <var>JANUS WEB ON</var> rules, so the above rules need to be manually added to a port just like any other rules. </p>
These rules set up access to the Janus Web sample home page and to demonstration application procedures. As of Model&nbsp;204 7.6, there are no automatic <var>JANUS WEB ON</var> rules, so the above rules need to be manually added to a port just like any other rules. </p>
<p>
<p>
Furthermore, as of [[RKTools]] version 7.7, the code for the Janus Network Security SSL maintenance application, which provides for generation of self-signed security certificates and certificate requests, and the code for for the Janus Web demonstration applications resides in the <code>M204PROC</code> file instead of in the <code>SIRIUS</code> file. To get the same access to a web port that the old automatic rules provided, these are the rules to add manually for the port: </p>
Furthermore, as of [[RKTools]] version 7.7, the code for the Janus Network Security SSL maintenance application, which provides for generation of self-signed security certificates and certificate requests, and the code for the Janus Web demonstration applications resides in the <code>M204PROC</code> file instead of in the <code>SIRIUS</code> file. To get the same access to a web port that the old automatic rules provided, these are the rules to add manually for the port: </p>
<p class="code">JANUS WEB <i>portname</i> ON / OPEN FILE M204PROC CMD 'INCLUDE JANWEB.HOMEPAGE.HTML'
<p class="code">JANUS WEB <i>portname</i> ON / OPEN FILE M204PROC CMD 'INCLUDE JANWEB.HOMEPAGE.HTML'
JANUS WEB <i>portname</i> ON /JANWEB/* OPEN FILE M204PROC CMD 'INCLUDE JANWEB.*'  
JANUS WEB <i>portname</i> ON /JANWEB/* OPEN FILE M204PROC CMD 'INCLUDE JANWEB.*'  
</p></li>
</p></li>


<li>Prior to Model 204 V7.6, there was a single default <var>ALLOW</var> rule:
<li>Prior to Model&nbsp;204 version 7.6, the default <var>ALLOW</var> rule for non-SSL Web ports was:
<p class="code">JANUS WEB <i>portname</i> ALLOW *
<p class="code">JANUS WEB <i>portname</i> ALLOW *
</p>
</p>
<p>
<p>
This rule makes all web pages public. As of Model 204 V7.6, that automatic <var>ALLOW</var> rule is changed to: </p>
This rule made all non-SSL web pages public. Model&nbsp;204 7.6 maintenance zaps change the automatic <var>ALLOW</var> rule to: </p>
<p class="code">JANUS WEB <i>portname</i> ALLOW * USER *
<p class="code">JANUS WEB <i>portname</i> DISALLOW *
</p>
</p>
<p>
<p>
This slightly more formal version of the rule allows all users to see all pages, but it requires that the user have a valid user ID. In cases where a default <code>WEBUSER</code> ID is specified on the port definition, non-logged-in users will have that default ID. </p></li>
This rule means that a system administrator must explicitly define <var>ALLOW</var> rules to enable users to access non-SSL ports. </p>
 
<blockquote class="note"><b>Notes:</b>
<ul>
<li>With version 7.6 zap 76Z090 or version 7.7 zap 77Z420, you can make the default <var>ALLOW</var> rule as it was in version 7.5 and earlier (<code>ALLOW *</code>) by turning on the 1 bit of the <var>[[WEBDFLT parameter|WEBDFLT]]</var> parameter:
<p class="code">RESET WEBDFLT=1</p></li>
 
<li>If the Janus port definition includes the <var>[[SSL (JANUS DEFINE parameter)|SSL]]</var> parameter, the default <var>DISALLOW/ALLOW</var> rule was and is:
<p class="code">JANUS WEB <i>portname</i> DISALLOW *
JANUS WEB <i>portname</i> ALLOW * USER <i>user</i> </p></li>
</ul>
</blockquote ></li>
</ul>
</ul>



Latest revision as of 20:50, 10 February 2017

Other web servers usually have a configuration file which defines the rules by which the server will run. The Janus Web Server uses Janus subcommands. These subcommands are typically executed in Model 204's CCAIN stream or from a procedure. Because the rules become complex, and because Janus allows the rules to be changed while the server is running, it is useful to keep the commands for defining a particular port in a Model 204 procedure.

For information about the actions taken for the various subcommands of the JANUS DEFINE and JANUS WEB commands, see Command execution order.

Any number of web clients may simultaneously access a Model 204 Online that has Janus Web Server, limited only by the number of Janus Web Server threads the site is licensed for.

Each web server is associated with a specific port number. By convention, web servers usually run at port 80, and test ports typically use ports 8000, 8001, and 8080. However, you may use any port number available on the Janus TCP/IP Base, from 1 to 65535. If you want to have multiple port numbers available for web clients, issue JANUS DEFINE commands for WEB servers at those port numbers.

Sample Web rules deck

Here is a typical set of rules for defining a Janus Web Server port, associating Web rules with it, and starting it:

* First make sure the port definition isn't already there: * JANUS FORCE WEBBY JANUS DELETE WEBBY * * Then define WEBBY at port 80, allowing 300 connections, * opening a file and executing a UTABLE command: * JANUS DEFINE WEBBY 80 WEBSERV 300 WEBUSER - WWWUSER OPEN GROUP WEBDOCS - CMD 'UTABLE LSTBL 12000' * * Then define a group of IP addresses that will be granted * access to the port (deleting previous definitions first): * JANUS DELETEIPGROUP PRIVILEGED JANUS DEFINEIPGROUP PRIVILEGED - 198.242.244.0-3 169.231.0.0-24 184.194.222.7 * * Then define a group of user IDs that will be granted access * to the port (deleting previous definitions first): * JANUS DELETEUSGROUP CLOWNS JANUS DEFINEUSGGROUP CLOWNS MILKY* BOZO* * * Specify any redirection — here we transfer any requests * for Java applications to another web server: * JANUS WEB WEBBY NOREDIRECT JANUS WEB WEBBY REDIRECT *.jav - http://sirius-software.com:8080/java/*.jav * * Revoke all access globally to clear old rules, then re-grant * access based on the above-defined groups: * JANUS WEB WEBBY DISALLOW * JANUS WEB WEBBY ALLOW IPGROUP PRIVILEGED JANUS WEB WEBBY ALLOW USGROUP CLOWNS JANUS WEB WEBBY DISALLOW IPADDR 198.242.244.41 * * Specify content type with the TYPE subcommand: * JANUS WEB WEBBY TYPE *.PDF application/pdf * * Use "ON" commands to specify actions that are taken * when incoming requests contain the specified string: * JANUS WEB WEBBY ON /*.HTML SEND HTML_* JANUS WEB WEBBY ON /*.GIF SEND GIF_* JANUS WEB WEBBY ON /COMMAND/* CMD * JANUS START WEBBY

Each execution of a JANUS WEB subcommand adds to the set of rules for the specified Web Server port. Individual rules cannot be deleted nor modified; all rules can be deleted only by stopping and deleting the port definition. However, this should not be necessary, as long as you follow two guidelines:

  1. Specify the most general rules first and most specific last.
  2. Specify a first rule that will clear all related rules.

That is why the above examples specify a global rule first that revokes all previous definitions before new privileges or directives are defined. For example, look at the ALLOW directives: The first rule eliminates all previous permissions with a DISALLOW * before any ALLOWs are specified.

The JANUS DEFINE command near the top of the sample rules specifies a World Wide Web server to be created at port 80 and to be called WEBBY. It allows up to 300 simultaneous connections, and connections requesting URLs that don't require logons will appear in Model 204 as being associated with the user ID WWWUSER (in the journal, in LOGWHO commands, etc.).

A group named WEBDOCS is opened. The CMD sets LSTBL to 12000 for WWW users. URL processing is handled by rules specified on JANUS WEB subcommands — this is the default processing when CMD doesn't re-route processing to either an APSY or a SOUL procedure.

The JANUS WEB subcommand defines how the web server will act. Most of the other commands are common to any Janus port.

Command execution order

JANUS WEB rules are executed in a strict order which guarantees consistent access control and processing for URLs.

That order is:

  1. OPEN and CMD processing from the JANUS DEFINE subcommand.

    These commands are always the first to execute on any port. For Web Servers, the OPEN command might open the file containing HTML procedures, and the CMD command can be used to reset UTABLE settings.

  2. REDIRECT/NOREDIRECT

    Any requests that are being handled outside the Web Server are immediately routed out.

  3. ALLOW/DISALLOW

    Access security rules are applied. Anytime a USER or USGROUP is specified, Model 204 logon processing is invoked.

  4. JANUS WEB TYPE definitions

    Datatype (mime) specifications are applied to URLs.

  5. OPEN and CMD processing from the JANUS DEFINE command

    The OPEN and CMD commands on the DEFINE command can initiate a generic web driver procedure to be used to collect usage activity for the port — perhaps based on URL, user ID, or IP address.

  6. JANUS WEB ON directives

    The OPEN parameter in an ON rule opens a file or group specific to the URL, and the CMD, SEND, or RECEIVE parameter indicates the action to be taken for matching URLs.

Within the above order, the JANUS WEB rules are searched in reverse order for the first match; that is, the last matching rule specified takes precedence over all previous rules.

Automatic Web rules

As an aid to initially setting up and testing server ports, Janus Web Server currently applies the following built-in (assembler code) rules. They are in effect unless disabled or overridden by user-supplied JANUS WEB rules:

JANUS WEB portname DISALLOW * JANUS WEB portname TYPE ANY * TEXT/PLAIN JANUS WEB portname TYPE ANY *.HTML TEXT/HTML JANUS WEB portname TYPE ANY / TEXT/HTML JANUS WEB portname TYPE ANY *.HTM TEXT/HTML JANUS WEB portname TYPE ANY *.GIF IMAGE/GIF JANUS WEB portname TYPE ANY *.JPEG IMAGE/JPEG JANUS WEB portname TYPE ANY *.JPG IMAGE/JPEG

These rules take effect for a Janus port specified by a JANUS DEFINE portname command.

Notes

  • Prior to Model 204 version 7.6, the following two rules were also automatically in force as soon as a port was defined:

    JANUS WEB portname ON / OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.HOMEPAGE.HTML' JANUS WEB portname ON /JANWEB/* OPEN FILE SIRIUS CMD 'INCLUDE JANWEB.*'

    These rules set up access to the Janus Web sample home page and to demonstration application procedures. As of Model 204 7.6, there are no automatic JANUS WEB ON rules, so the above rules need to be manually added to a port just like any other rules.

    Furthermore, as of RKTools version 7.7, the code for the Janus Network Security SSL maintenance application, which provides for generation of self-signed security certificates and certificate requests, and the code for the Janus Web demonstration applications resides in the M204PROC file instead of in the SIRIUS file. To get the same access to a web port that the old automatic rules provided, these are the rules to add manually for the port:

    JANUS WEB portname ON / OPEN FILE M204PROC CMD 'INCLUDE JANWEB.HOMEPAGE.HTML' JANUS WEB portname ON /JANWEB/* OPEN FILE M204PROC CMD 'INCLUDE JANWEB.*'

  • Prior to Model 204 version 7.6, the default ALLOW rule for non-SSL Web ports was:

    JANUS WEB portname ALLOW *

    This rule made all non-SSL web pages public. Model 204 7.6 maintenance zaps change the automatic ALLOW rule to:

    JANUS WEB portname DISALLOW *

    This rule means that a system administrator must explicitly define ALLOW rules to enable users to access non-SSL ports.

    Notes:

    • With version 7.6 zap 76Z090 or version 7.7 zap 77Z420, you can make the default ALLOW rule as it was in version 7.5 and earlier (ALLOW *) by turning on the 1 bit of the WEBDFLT parameter:

      RESET WEBDFLT=1

    • If the Janus port definition includes the SSL parameter, the default DISALLOW/ALLOW rule was and is:

      JANUS WEB portname DISALLOW * JANUS WEB portname ALLOW * USER user

See also